Endpoint detection and response (EDR) can only take you so far in identifying Log4j exploit attempts. Here’s why dynamic checks are needed to uncover vulnerable versions of Log4j.
When the Log4j vulnerability was disclosed at the tail end of 2021, it caused many IT teams to put down their well earned eggnog and cast a concerned look at their environment. Unfortunately, understanding what was vulnerable to this newly disclosed flaw was far more difficult than simply pulling an accurate inventory of Log4j instances, with the troublesome library often harder to track down than a Playstation 5.
Using an endpoint agent, for example endpoint detection and response (EDR), or a credentialed scan to identify Log4j instances will only get you so far. Like many Java libraries, Log4j is often bundled into “Fat Jars” (Jar files that include all external dependencies) or inserted directly into the source code as a way of shading the library versions to lessen the probability of conflicts. Simply asking “Do you have Log4j installed?” isn’t going to give you a very clear understanding of where you’re vulnerable.
But “EDR will block attempts to exploit Log4j!” I hear you all cry out in delight. Not so fast. An attacker could easily stay within the Java Virtual Machine (JVM), away from the prying eyes of the EDR process monitors; blocking outbound calls from a server is going to end badly. The idea of hiding nefarious activity within the Java virtual machine isn’t new, but all the top EDR vendors have been slow to address this rather large chink in their armor. EDR can stop breaches (as long as they’re not Java based).
In order to deal with the Log4j detection issue, Tenable released a whole new approach to assessment within hours of the legendary flaw being announced. Put simply, our dynamic checks fired a Java Naming and Directory Interface (JNDI) query into targets that instructed any systems vulnerable to Log4j to send a unique token to a Tenable hosted system that the scanner could look up to see if a message had been received. This approach ensured we’d be able to more easily uncover vulnerable versions of Log4j across a multitude of ports and protocols, because the only tokens being sent would be from those systems that had the flawed library somewhere within the stack or application code.
And we saw a lot of those unique tokens being sent to Tenable. Days after disclosure, we were seeing over 1,400 new tokens … EVERY SECOND and one in 10 assets assessed by Tenable were vulnerable.
In the case of Log4j, a false negative could mean a system is left vulnerable due to a poor assessment. Relying on endpoint detection to block exploitation is nowhere near enough of a defense, leading to a surefire foothold for any enterprising attacker. Tenable is investing significant effort in ensuring we continue to lead the market in detecting Log4Shell across the ever growing list of applications and protocols that are vulnerable.
Regardless of your motivations (attacker or defender), you need to know the ports, hosts and services available within a network.
From a defender’s point of view, the task is a precondition of several keys procedure:
Asset Management – whoever manages the infrastructure (and its security) must know which devices are active and present within our infrastructure. Furthermore, it helps to detect unauthorized hosts that could derive from malicious activities (or more commonly, your system administrators forgot to document them… and maybe to apply the company’s hardenization procedures).
Network scanning is a fundamental step of a company vulnerability management procedure. Here is a non-comprehensive list of its possible benefits:
it allows the detection of unauthorized services and the presence of obsolete systems;
it helps to verify the correspondence between the specifications document and the actual implementation;
it helps to verify the correct application of the hardening procedures.
Penetration test – independently from the approach in use, it is necessary to determine the active hosts and the exposed services. You have to do it even in a white-box penetration test to confirm your client/colleagues inputs.
From an attacker point of view… Well, that goes without saying 🙂
The network scanning procedure aims to identify active hosts. On the other hand, port scanning seeks to detect the ports that hosts disclose and with which it is possible to interact. Starting from the output of a network/port scanning, an attacker, or a newly hired CISO, can outline different traits of a company security posture.
In these articles we will see:
the different steps of a network scan;
some examples with the NMAP tool.
Host discovery
Port scanning involves sending several packets to the host and verifying its response. Usually, the analysis is restricted to the 1024 most common ports (it depends on the available time and the final goal of the analysis). As you may expect, performing this task for all the hosts within a network/infrastructure is time-expensive and generates a lot of noise.
In most cases, only a tiny fraction of IP addresses are active at any given moment. To avoid wasting time, the tester first perform the host discovery phase to determine the active hosts in the tested networks and infrastructure.
There are several techniques:
ARP Ping scan;
ICMP Ping scan;
UDP Ping Scan;
TCP SYN/ACK Ping scan;
IP Protocol Ping scan.
As stated in the official documentation, the default NMAP host discovery strategy involves sending an ICMP echo request (-PE), a TCP SYN segment to port 443 (-PS443), a TCP ACK segment to port 80 (-PA80), and an ICMP timestamp request (-PP).
ARP ping scans are the most effective method to detect active hosts inside a LAN. Its limits are the impossibility of applying the technique on the subnet to which it does not belong. Even if you supply other -P* options to NMAP, the tool performs by default an ARP/Neighbor Discovery against targets on a local Ethernet network since it is the fastest and more reliable technique.
An ICMP scan consists of sending ICMP echo requests to hosts on the network. If a host is found to be active, it will return an ICMP echo response. The technique has limited usability as blocking ICMP requests is part of firewalls and systems’ basic hardening rules.
A TCP scan consists in sending TCP segment to the hosts and analysing the host response. There are two different modes: TCP SYN Ping scan and TCP ACK Ping Scan.
TCP SYN SCAN
As illustrated in the figure, a TCP Syn ping scan consists of the following steps:
The tester sends a TCP SYN segment to port 80.
If the port is closed, the host responds with an RST segment.
If the port is open, the host responds with a TCP SYN/ACK segment indicating that a connection can be established.
Afterwards, an RST segment is sent to reset this connection.
Since it is a normal attempt to establish a TCP connection, traffic is not blocked by firewalls and does not require administrator permissions.
A TCP ACK ping scan instead consists of the following steps:
The tester sends an empty TCP segment with the ACK flag set to port 80 (the nmap default port, but another port can be used).
If the host is offline, it should not respond to this request.
Otherwise, it will return an RST segment and will be treated as online. An RST is sent because the TCP ACK is not associated with any valid existing connection.
ACK Ping Scan requires administrator privileges. Since it is recognized and blocked by a stateful firewall, its main goal is to get information about the filter configurations, not port status.
Port Scan
Once the active hosts within a network have been determined, a portscan can be performed to determine exposed ports and services.
Several techniques are available:
TCP Scan (Connect and Half Open Scan);
UDP Scanning;
SCTP Scanning;
SSDP Scanning.
Only the first two strategies will be considered. Please see the NMAP manual for additional information on SCTP and SSDP Scanning.
TCP Scan
With a TCP Connect scan, a TCP connection is established with the host. That is, the whole 3-way handshake is performed.
The least expensive and most performing variant, the TCP Half Open scan (TCP SYN Scan) sends the SYN segment. If an open SYN+ACK segment is received, the port will be identified as open. In case of RST, the door will be judged closed.
A third typology, foresees the TCP FIN, NULL and Xmas Scans, foresees the modification of the flags of the TCP segment (FIN, URG, PSH, NULL) in an attempt to induce a response from the server.
The technical functionality exclusively on operating systems with implementations of the TCP/IP suite compliant with RFC793. For example, it does not work with Windows systems as these return an RST in both cases.
THE SEGMENT IS COMING
If the state is CLOSED (i.e., TCB does not exist), then all data in the incoming segment is deleted. An on the way the segment containing an RST is deleted. An incoming segment no containing an RST causes an RST to be sent in response. The confirmation and sequence field values are selected to render the recovery sequence acceptable to the TCP that sent the error segment.
If the port is open, the system will not produce any while the response will return an RST/ACK segment if it is closed.
To understand the origin of the name, just look at the image below. Nmap’s -sX flag “Sets the FIN, PSH, and URG flags, illuminating the package like a Christmas tree.”
UDP scan
UDP connection does not involve a handshake. If a UDP packet is sent to a port on which no service is listening, the system will respond with an ICMP Port Unreachable. In case of no answer, the port can be considered closed or filtered.
Contermeasures
To detect and prevent network scanning attempts, we suggest the following countermeasures:
carefully design your services to reduce your attack surface; exposing only necessary services and always keep in mind the principles of least privileges and need to know.
Configure your firewalls to block all traffic that has not got a business justifications;
Periodic reviews your firewall ruleset to keep it aligned to your business needs;
Harden your servers, disabling all unused services;
Perform network and port scans to ensure your firewall/server policies are aligned to your business needs.
Configure an IDS/IPS to promptly detect network and port scans.
A vulnerability has been discovered in Apple Products, which could allow for arbitrary code execution if a user views a specially crafted web page.
iOS is a mobile operating system for mobile devices, including the iPhone, iPad, and iPod touch.
iPadOS is the successor to iOS 12 and is a mobile operating system for iPads.
macOS Monterey is the 18th and current major release of macOS.
Safari is a graphical web browser developed by Apple.
Successful exploitation of this vulnerability could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the permission associated with the application running the exploit, an attacker could then install programs; view, change, or delete data.
Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could view, change, or delete data. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights
Multiple vulnerabilities have been discovered in SAP products, the most severe of which (CVE-2022-22536) could allow for remote code execution. SAP is a software company which creates software to manage business operations and customer relations. Successful exploitation of the most severe of these vulnerabilities could allow an unauthenticated, remote attacker to execute code on the affected systems. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Applications configured to have fewer restrictions on the system could be less impacted than those who operate with elevated privileges.
SAP and Onapsis Research Labs collaborate to disclose three critical vulnerabilities impacting SAP NetWeaver Application Servers. The most severe of the three could lead to full system takeover.
Background
On February 8, SAP disclosed several vulnerabilities in the Internet Communication Manager (ICM), a critical component of its NetWeaver Application Servers in coordination with security researchers at Onapsis who discovered the flaws. SAP and Onapsis have bothreleased write-ups regarding their partnership to discover and patch these flaws. The Cybersecurity and Infrastructure Security Agency also issued an immediate warning about these vulnerabilities, stating that exploitation could result in disrupted operations, data theft, fraud and ransomware attacks.
SAP Netweaver is an application and integration server that acts as the software stack for most of SAP’s applications, including solutions for critical business functions such as enterprise resource planning, customer relationship management and supply chain management.
Analysis
Onapsis Research Labs discovered three critical vulnerabilities in the ICM component of SAP applications. According to the Onapsis Threat Report, the vulnerable ICM component is “present in most SAP products and is a critical part of the overall SAP technology stack,” making these vulnerabilities a major concern for enterprises that deploy SAP products. Because this component connects SAP applications to the internet, it is exposed by default in most deployments.
CVE-2022-22536 is a memory pipes (MPI) desynchronization vulnerability that received the highest CVSSv3 score of 10.0. Onapsis has named this flaw ICMAD for Internet Communication Manager Advanced Desync. An unauthenticated remote attacker could exploit the vulnerability using a simple HTTP request and achieve full system takeover. In addition to being the most critical, CVE-2022-22536 also has the widest effect of all three vulnerabilities, impacting SAP NetWeaver Java or ABAP applications with default configurations.
CVE-2022-22532 is a HTTP request smuggling vulnerability according to SAP in the ICM component. However, Onapsis lists it as a use after free vulnerability. This vulnerability only exists in SAP NetWeaver Java systems. It received a CVSSv3 score of 8.1 and does not require authentication or user interaction to exploit. According to the Onapsis report, certain “more complex [exploit] scenarios” could lead to remote code execution.
CVE-2022-22533 is a memory leak in memory pipe management that could lead to denial of service. It also only affects SAP Application Server Java systems and received a CVSSv3 score of 7.5. An attacker could exploit this flaw using specially crafted HTTP(S) requests to consume all MPI resources.
Proof of concept
Onapsis Research Labs published a scanner script on GitHub for organizations to detect if their SAP instances are vulnerable to CVE-2022-22536. The readme file for the scanner does caution that this script is a best effort attempt at identifying vulnerable instances and cannot provide 100% accuracy.
Solution
As part of its monthly Security Patch Day, SAP published HotNews Security Notes 3123396 and 3123427 (login required) to address CVE-2022-22536 and CVE-2022-22532. The table below lists the SAP products patched. CVE-2022-22533 is not currently listed on the February 2022 Patch Day page.
CVE
Description
Products
CVE-2022-22536
Memory Pipe Desynchronization
SAP Web Dispatcher, Versions: 7.49, 7.53, 7.77, 7.81, 7.85, 7.22EXT, 7.86, 7.87 SAP Content Server, Version: 7.53 SAP NetWeaver and ABAP Platform, Version: KERNEL 7.22, 8.04, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, KRNL64UC 8.04, 7.22, 7.22EXT, 7.49, 7.53, KRNL64NUC 7.22, 7.22EXT, 7.49
CVE-2022-22532
HTTP Request Smuggling/Use After Free
SAP NetWeaver Application Server Java, Versions: KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.
Multiple vulnerabilities have been discovered in Mozilla Firefox and Firefox Extended Support Release (ESR), the most severe of which could allow for arbitrary code execution.
Mozilla Firefox is a web browser used to access the Internet.
Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations.
Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Nessus leverages third-party software to help provide underlying functionality. One of the third-party components (Expat) was found to contain vulnerabilities, and an updated version has been made available by the provider.
Out of caution and in line with best practice, Tenable has opted to upgrade the Expat component to address the potential impact of the issue. Nessus 10.1.1 and Nessus 8.15.3 update Expat to version 2.4.4 to address the identified vulnerability.
Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for Arbitrary Code Execution.
Premiere Rush is a video editor.
Illustrator is a vector graphics editor and design program.
Photoshop is a graphics editor.
Adobe After Effects is a digital visual effects, motion graphics, and compositing application.
Creative Cloud is a cloud service provided by Adobe where its software can be accessed all in one place.
Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Microsoft addresses 48 CVEs in its February 2022 Patch Tuesday release, including one zero-day vulnerability that was publicly disclosed, but not exploited in the wild.
0Critical 48Important 0Moderate 0Low
Microsoft patched 48 CVEs in the February 2022 Patch Tuesday release, with all 48 rated as important and none rated as critical.
This month’s update includes patches for:
Azure Data Explorer
Kestrel Web Server
Microsoft Dynamics
Microsoft Dynamics GP
Microsoft Edge (Chromium-based)
Microsoft Office
Microsoft Office Excel
Microsoft Office Outlook
Microsoft Office SharePoint
Microsoft Office Visio
Microsoft OneDrive
Microsoft Teams
Microsoft Windows Codecs Library
Power BI
Roaming Security Rights Management Services
Role: DNS Server
Role: Windows Hyper-V
SQL Server
Visual Studio Code
Windows Common Log File System Driver
Windows DWM Core Library
Windows Kernel
Windows Kernel-Mode Drivers
Windows Named Pipe File System
Windows Print Spooler Components
Windows Remote Access Connection Manager
Windows Remote Procedure Call Runtime
Windows User Account Profile
Windows Win32K
Remote code execution (RCE) vulnerabilities and elevation of privilege (EoP) both accounted for 33.3% of the vulnerabilities patched this month.
Important
CVE-2022-21989 | Windows Kernel Elevation of Privilege Vulnerability
CVE-2022-21989 is an EoP vulnerability in the Windows Kernel and the only zero-day vulnerability addressed this month. According to Microsoft’s Exploitability Index rating, this vulnerability is more likely to be exploited, however it has not been actively exploited at the time this blog was published. The advisory does note that an attacker needs to take additional actions prior to exploitation of this vulnerability, which is evident by the “High” rating for “Attack Complexity” in the CVSSv3 score of 7.8.
Important
CVE-2022-22005 | Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2022-22005 is a RCE vulnerability in Microsoft SharePoint Server with a CVSSv3 score of 8.8. Microsoft rates this as “exploitation more likely,” however at this time no public proof-of-concept appears to exist. In order to exploit this vulnerability, an attacker would need to be authenticated and have the ability to create pages in SharePoint.
Important
CVE-2022-21999, CVE-2022-22718, CVE-2022-22717 and CVE-2022-21997 and | Windows Print Spooler Elevation of Privilege Vulnerability
CVE-2022-21999, CVE-2022-22718, CVE-2022-22717 and CVE-2022-21997 are EoP vulnerabilities in Windows Print Spooler. CVE-2022-21999 and CVE-2022-22718 received CVSSv3 scores of 7.8 and were rated Exploitation More Likely. CVE-2022-22717 (CVSSv3 7.0) and CVE-2022-21997 (CVSSv3 7.1) were rated Less Likely. Discovery of CVE-2022-21999 was credited to Xuefeng Li and Zhiniang Peng of Sangfor at the Tianfu Cup. These are the same researchers who disclosed CVE-2021-34527, kicking off the PrintNightmare saga in June 2021. CVE-2022-21997 was disclosed by Bo Wu and CVE-2022-22717 was credited to Thibault Van Geluwe de Berlaere with Mandiant. As researchers continue to focus their time on discovering flaws in Print Spooler, it is likely that attackers are as well, therefore organizations should apply these updates urgently.
Important
CVE-2022-21996 | Win32k Elevation of Privilege Vulnerability
CVE-2022-21996 is an EoP vulnerability in Microsoft’s Win32k, a core kernel-side driver used in Windows. This vulnerability received a CVSSv3 score of 7.8 and is more likely to be exploited according to Microsoft. This vulnerability is similar to another EoP flaw from January’s Patch Tuesday release, CVE-2022-21882. CVE-2022-21882 has been actively exploited in the wild by threat actors and the Cybersecurity and Infrastructure Security Agency has added the vulnerability to it’s Known Exploited Vulnerabilities Catalog, requiring federal agencies to remediate the vulnerability by February 18. Interestingly enough, CVE-2022-21882 is a patch bypass for another vulnerability, CVE-2021-1732according to RyeLv, one of the researchers credited with reporting the vulnerability to Microsoft.
Important
CVE-2022-22715 | Named Pipe File System Elevation of Privilege Vulnerability
CVE-2022-22715 is an EoP vulnerability in the Named Pipe File System. It is rated as Exploitation More Likely. To exploit this flaw, an attacker would need to have established a presence on the vulnerable system in order to run a specially crafted application. Successful exploitation would allow an attacker to run processes with elevated privileges. The vulnerability is credited to researchers at Kunlun Lab, who participated in the Tianfu Cup, China’s biggest hacking competition.
Tenable Solutions
Users can create scans that focus specifically on our Patch Tuesday plugins. From a new advanced scan, in the plugins tab, set an advanced filter for Plugin Name contains February 2022.
With that filter set, click the plugin families to the left and enable each plugin that appears on the right side. Note: If your families on the left say Enabled, then all the plugins in that family are set. Disable the whole family before selecting the individual plugins for this scan. Here’s an example from Tenable.io:
A list of all the plugins released for Tenable’s February 2022 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.
