In the rush, did we miss something?

Roland Daccache, Systems Engineer Manager MEA, CrowdStrike.
Roland Daccache, Systems Engineer Manager MEA, CrowdStrike.
by
3 years ago

More than a month after the initial announcement of the vulnerability impacting Log4j on December 9, 2021, there are still medium- and long-term consequences to be considered.

Log4j is an open-source Java logging library that is widely used in a range of software applications and services around the world. The vulnerability can allow threat actors to take control of any Java-based, Internet-facing server and engage in remote code execution attacks.

Most login screens in the world typically audit failed login attempts, meaning that virtually every authenticated page using Log4j is vulnerable. Browser search bars are also often logged and expose systems to this flaw.

Exploiting the flaw is fairly trivial. An attacker can exploit the vulnerability by simply sending a malicious code string that gets logged by Log4j. At that point, the exploit will allow the attacker to load arbitrary Java code and take control of the server.


Reaction from Roland Daccache, Systems Engineer Manager MEA, CrowdStrike.

Roland Daccache, Systems Engineer Manager MEA, CrowdStrike.
Roland Daccache, Systems Engineer Manager MEA, CrowdStrike.

From a global security attitude survey done recently, supply chain attacks constitute a unique headache for security leaders. A staggering 63% of respondents said their organisation is facing a crisis of trust in legacy IT vendors, such as Microsoft, due to frequent security incidents.

Only 36% believe they have been able to vet new and existing suppliers for security purposes in the last 12 months.

While at this stage a comprehensive security strategy is hard to achieve, CrowdStrike advises organisations to reduce internal friction and accelerate the process of patching and hardening.

CrowdStrike also advises improving the visibility and detection across all IT infrastructure and keeping the conversation going with vendors. Vendors need to shoulder part of the responsibility and it is not possible for companies to perform the due diligence fully on their own.

Throughout recent Internet history we have had open-source code libraries with vulnerabilities of globally disruptive level, such as Heartbleed, Shellshock and most recently Log4j. What makes the latest Log4j vulnerability so concerning, is that it is so ubiquitous and embedded in a countless list of customers’ applications and environments. If exploited, this software can provide damaging access to customers’ infrastructure with just few lines of code.

From an open-source developer community, CrowdStrike needs security to be incorporated into the early stages of software creation and maintained throughout the software lifecycle. However, to be fair, some software is beyond their shelf life and maintenance has become expensive over the years. The best way out of this would be to have active global software alliances that looks into the security of older code and provides adequate funding for it.

CrowdStrike has spoken to CISOs who are up in arms because of the recent security incidents and disclosed vulnerabilities that go beyond their ability to control, with the amount of budget and resources available at their disposal. It does not help the case that most exploitable vulnerabilities are coming from the sources that they need to rely on most.

The threat landscape is increasingly complex, and organisations are held back by legacy software that often cannot be upgraded. The Board of organisations needs to step up the game, making sure digital infrastructure is maintained and regularly updated.

Another step to achieve is investment in detection and response capabilities across all assets, cloud, on-premises, SaaS, as well as selection of reliable security partners to alleviate the problem and accelerate the time to respond to incidents. A strategy that includes logging every activity in the environment and segmenting the network and identity stores into a zero-trust model would go a long way.

The latest Log4j vulnerability has been a stark reminder that one vulnerable application can jeopardise even the most advanced digital infrastructures, as a real-world Achille’s heel. Providers of common software, cloud infrastructure and SaaS applications need to shoulder responsibility with their customers, since they own and maintain the code and the infrastructure that hosts it.

CrowdStrike cannot realistically ask organisations to perform full due diligence and vetting of software that they consume.


Snapshot

  • 63% of respondents said their organisation is facing a crisis of trust in legacy IT vendors, due to frequent security incidents.
  • CrowdStrike advises improving visibility and detection across all IT infrastructure and keeping conversation going with vendors.
  • Vendors need to shoulder part of the responsibility and it is not possible for companies to perform the due diligence fully on their own.
  • Security needs to be incorporated into early stages of software creation and maintained throughout the lifecycle.
  • CISOs are up in arms because of recent security incidents and disclosed vulnerabilities that go beyond their ability to control.
  • It does not help the case that most exploitable vulnerabilities are coming from sources they need to rely on most.
  • The threat landscape is increasingly complex, and organisations are held back by legacy software that often cannot be upgraded.
  • The Board needs to step up the game making sure digital infrastructure is maintained and regularly updated.
  • The latest Log4j vulnerability has been a stark reminder that one vulnerable application can jeopardise the most advanced digital infrastructures.
  • Providers of common software and SaaS applications need to shoulder responsibility with their customers, since they own and maintain the code and the infrastructure that hosts it.

Reaction from Glen Pendley, Deputy CTO, Tenable.

Glen Pendley, Deputy CTO, Tenable.
Glen Pendley, Deputy CTO, Tenable.

Apache Log4j shines a bright light on the risky but necessary practice of relying on open-source code libraries to build enterprise-scale applications. Many organisations around the world rely on open-source libraries as a key element in their ability to bring applications to market quickly. Yet, these libraries often stop short of a security-first approach. This dependence on what is effectively a wild, wild west of code libraries will continue to leave organisations vulnerable until time and resources are invested to make them more secure.

It is becoming increasingly more important for CISO’s to have line of sight in not only the Software Bill of Materials for software their own organisation is writing, but also for the software they are buying from vendors. Whether it is managed or hosted, there is inherent risk introduced into your environment based on the decisions other people have made when building their services.

The impact from this vulnerability is quite profound. It is included in a number of business-critical applications and used by a number of cloud services. Exploitation is straightforward, and attackers have plenty of publicly available proof-of-concept exploit code at their disposal. The fact that it has come to light means we are in a race to find and fix it before bad actors take full advantage of it.

For organisation’ security teams, it is about identifying what in their infrastructure is impacted by this vulnerability, their systems and applications, and either patching or taking remedial measures that limit the impact if threat actors try to exploit this flaw.

We are aware that attackers are scanning for vulnerable servers and so far, we have seen a number of different exploits, everything from ransomware to DoS attacks, and we anticipate that this malicious activity will continue to ramp up in the coming weeks and months.

Everyone is impacted because it is so ubiquitous. It really does touch so many different types of software and services. Unlike most vulnerabilities, which typically require a specific attack vector and criteria to be in place to be able to take advantage of, this vulnerability is extremely simple to exploit. There are so many different ways you could potentially exploit it that it makes it extremely difficult to try and protect yourself against it.

The best bet for anyone to do is try and identify where the vulnerability sits in your environment and work to patch it as fast as possible.


Snapshot

  • Organisations around the world rely on open-source libraries to bring applications to market quickly.
  • These libraries stop short of a security-first approach.
  • This dependence on what is effectively a wild, wild west of code libraries will continue to leave organisations vulnerable.
  • CISO’s mist have have line of sight in Software Bill of Materials for their organisation, also for the software they are buying from vendors.
  • Managed or hosted, there is risk introduced into your environment based on decisions other people have made when building their services.
  • It is about identifying what in their infrastructure is impacted by this vulnerability, taking remedial measures that limit the impact.
  • Everyone is impacted because it is so ubiquitous and touches so many different types of software and services.

Providers of software, cloud, need to shoulder responsibility with customers, since they own the code and the infrastructure that hosts it.

Don't Miss

Tenable Highlights Toxic Cloud Trilogy at BlackHat MEA 2024

Tenable will exhibit at BlackHat MEA 2024 held from 26th to 28th
Shai Morag, Chief Product Officer, Tenable

Tenable Cloud Risk Report Sounds the Alarm on Toxic Cloud Exposures Threatening Global Organizations

Tenable released its 2024 Tenable Cloud Risk Report, which examines the critical