In December 2021, a vulnerability was discovered in the Java Log4j module. This vulnerability was called Log4Shell. There are ways to protect yourself against this type of vulnerability – in this blog post, we’ll tell you how.
What is Log4Shell?
The Log4Shell vulnerability found in Log4j is an example of what is known as “bad input validation”. A computer program should never trust input parameters given to the program unless it can be absolutely sure that the parameters come from a trusted source.
The Log4j is a Java module used by developers when they want to print or write data from the program. This is common for debugging purposes, but can also be used to generate audit logs or write other types of information, for example to a file or to the output console. By using what Log4j calls “lookups”, it is possible for whoever provided the data to decide how that data is formatted, what it contains, and where the data can be found. The scariest part is that Log4j can also be designed to run data formatted according to JNDI (Java Naming and Directory Interface).
How can this be used in practice?
There are many ways to exploit this vulnerability. For example, suppose there is a typical authentication page where you need to enter your username and password. Now, for debugging purposes, the programmer who developed the authentication feature used Log4j to generate a log containing the username. However, instead of entering the username, the attacker enters a string in JNDI format. Using JNDI gives the attacker the ability to affect the vulnerable system, in the worst case by executing software such as malware.
How to prevent this type of attack?
There are ways to protect against these kinds of threats. You would think that a firewall could protect your network by only allowing certain traffic to enter. A firewall monitors and filters which packets enter the network and which are blocked based on rule configurations. However, if you need to transfer information to or from a security-sensitive network, a firewall shouldn’t be the only solution you choose.
If you have sensitive or even classified information, you need a viable cross-domain solution that provides secure, filtered two-way communication. The goal is to enforce strict information-level control during information transfers and to mitigate cybersecurity threats such as manipulation, data leakage, and intrusion. What to use is something called whitelist. The word whitelist refers to the method of listing what is allowed, instead of blocking the known bad. An allowlist should only be updated when you need a new feature in the system. Whitelisting means you can schedule your update without suddenly having to do an urgent update based on events beyond your control.
Advenica products offer strong segmentation and information-aware validation of data streams. Advenica’s cross-domain solution, ZoneGuard, only allows explicitly configured and authorized data flows and connections and would have blocked the connection to the server with the malicious code. ZoneGuard could also have, due to its knowledge of information property, blocked the JNDI string entered by the attacker and prevented the attack.
ZoneGuard enables tightly controlled two-way filtered information flow supporting third-party controls for enforcing a digitally signed information policy. It uses filters in both directions and information is always checked using full message inspection. The filter can pass information depending on several factors, for example source/destination addresses, file formats, attributes or the presence of a digital signature.
In addition, strong segmentation and true defense in depth should always be applied to protect your critical assets, for example using a data diode. Data diodes are the safe way to protect sensitive systems and confidential data. These are small hardware devices, also known as “one-way security gateways”, that sit between two networks. Working like a check valve, the function of a data diode is to allow all data to pass in the forward direction, while blocking all data in the reverse direction.
A data diode can replicate the parts of your application that you need to expose to the Internet. A successful attack using Log4Shell or other (as of yet) unpublished vulnerabilities could negatively impact your web application, but the data diode would very effectively protect your critical information and systems. Prevent bidirectional traffic and thus stop any attempt to communicate with the sensitive system.
This will not be the last time such an incident occurs. Want to make sure you’re prepared for future threats? Contact us!
Want to know more about Advenica? Read more here!