For IT companies and security teams assigned with upgrading the applications of Java that have the vulnerable Log4j, the tough ask is correctly analyzing if they have any troubling applications in the first place.
Problems associated with the Log4j Vulnerability
Any Java application which uses an edition of Log4j older than 2.14.1 contains the vulnerability and also Java is so extensively used in the IT sector implies that the attack extent is large.
There are certain things to look at, such as applications of Java and Web application systems like Struts. However, there are fewer certain uses such as administrator consoles for hardware devices.
Despite the certainty that Log4j is not used by the company’s developers they use its substitutes as a logging tool, it is still important to corroborate the situation. Also with an official approach, some teams might have made use of Log4j on a particular project. There is one tool that can aid the method.
Tools for Determining Systems
Many sellers have launched multiple tools to help companies determine applications and programs which are vulnerable, like the one from Randori. Another tool is from Thinkst Canary. The users can make a token that is based on DNS on the CanaryToken interface and then attach it to the jndi:ldap string.
This string can be copied and pasted into search bars and places which will be parsed by recording the libraries. In case the program is vulnerable, Canarytoken will mail the hostname of the server which is vulnerable, which is what the company says.
Thinkst Canary on Twitter says, “We see this as a quick hack to help defenders through some pain.”
Another tool called ThreatMapper is an open-source cloud-based platform with safety observability from Defense. It searches for vulnerabilities and classifies them on the basis of the risk involved in getting affected during runtime.
Safety teams can actually check which workload is attacked by the vulnerability of Log4j and which of them are at the most risk of getting misused. The whole list contains virtual systems and pods which are susceptible to the internet. Those are the programs which the teams need to mend then, says Defense.
The CEO of Defense, Sandeep Lahane says, “ThreatMapper helps organizations narrow down from potentially hundreds of nodes to be patched to a handful which might be one or two hops away from the Internet and need fixing immediately.”
Restricting the Traffic
Something that the firms can try when they are inquiring is to use the firewall norms to block the skeptical withdrawal traffic is what the CEO of Bugcrowd, Casey Ellis says. She adds, “When the first stage of Log4Shell is triggered, this triggers a lookup to an attacker-controlled server.”
This lookup which recovers the second-stage Java information or withdraws sensitive information can use many JDNI-supported regulatory protocols which include LDAP and DNS. Those are the regulations to look into.
Ellis also says, “Blocking systems with Log4J on them from egressing a network in this way mitigates retrieval of the second stage and limits the potential for data exfiltration via successful first-stage execution.
We’ve seen both bounty hunters and malicious attackers using DNS as the preferred mechanism for data exfiltration, as DNS egress from a network is very rarely blocked. It is either allowed to pass through a firewall or is passed forward by resolvers.”
There are very restricted conditions under which LDAP traffic should be exiting the network, so blocking such type of traffic makes sure that attacks are blocked.