Published on December 10th by NIST, the Apache Log4Shell or LogJam, AKA CVE-2021-44228, is a highly critical new vulnerability, ranked the most severe current security risk, as it affects a large number of services due to the popularity of Log4j.
Log4J is a widely used Java-based logging library. Log4Shell is able to create a Remote Code Execution (RCE) by tricking a component of Java applications in web servers into executing commands without the authorization of the administrator and without a valid login to the targeted device/service/site.
As Log4Shell has a high potential for escalation and is actively being exploited, it is critical to rapidly check the exposure of your environment, including the entire potential attack path.
Cymulate provides four critical methodologies to determine if your organization is at risk and to determine if your security controls have the ability to deflect attempted Log4Jam/Log4Shell attacks. This in-depth detection is achieved with a combination of four distinct modules included in the Cymulate Extended Security Posture Management Platform:
Cymulate ASM module simulates the attacker reconnaissance phase. It has already been updated to include the capability to scan for systems/devices vulnerable to this exploit. It uses a branching methodology to discover visible and available systems that can be attacked from the outside world. Discovering these devices allows your security team to locate systems running vulnerable applications and code, even if they are not included in formal inventories, i.e., "Shadow IT" systems running within the organization's environments. This results in a comprehensive discovery of systems that need to be patched/updated and/or further isolated from the outside world until such patching/updating is possible.
Cymulate WAF efficacy testing has been updated to include the ability to safely attempt to perform a Log4Jam/Log4Shell attack without putting systems at risk. By completing a production-safe Log4Shell attack, WAF defenses can be tested to ensure that they recognize the exploits attempted by this vulnerability and adequately stop the traffic from being delivered to the impacted applications and systems. This option is the fastest way to prevent exploits and provide ample time for patching under standard change control windows.
Cymulate can assist with testing for Log4j as it can be part of many systems that are not directly Internet-facing. For example, a known vulnerability in VMWare vCenter can be exploited with a Log4j attack methodology, but many vCenter systems are not accessible from the outside world. Utilizing Cymulate purple-team security validation technology, targeted attack scenarios can be created and customized to determine if Log4j vulnerabilities are exploitable on these internal systems, further strengthening defenses to remove the potential for attack if a threat actor were to gain an internal foothold.
Cymulate ITI has a detection simulation of the first attack discovered that uses Log4Jam/Log4Shell that you can run safely within your environment. This allows you to test anti-malware and network-level download traffic scanners to ensure they recognize the attack binaries. Through its integrations, it also queries Vulnerability Management tools to highlight any devices internally that your Vulnerability Management Platform (such as Tenable, Qualys, or other) has identified.
These four testing methodologies can allow your teams to get a handle on this vulnerability, identify where vulnerable software exists within the organization that is public-facing (purposely or accidentally), test systems that are not internet-facing but use (or may use) the impacted Log4j plugins, and ensure that security controls recognize and adequately handle attack traffic which is being aimed at your organization.
Mike Talon is a Solution Architect living and working in New York City. He’s assisted in disaster recovery and migration, Cloud transformation, and identity and security operations and testing for companies ranging from Mom & Pop retail shops to Fortune 100 global companies. Mike currently works with Cymulate – Breach and Attack Simulation; helping customers find ways to live safely in interesting times.