Following on the December 2020 revelation of the Solar Winds software supply chain hack by Russian operatives, 2021 was not to be outdone, with December 2021 marking the discovery of Java developers' āown goalā on the global IT/OT infrastructure.
About a decade ago, contributors to release 2 of the Apache Foundationās open source Log4j software thought it would be a neat idea for the message/event logging software to be able to send a log that would also execute code, explains Eric Byres, CTO at aDolus (www.aDolus.com).
āEffectively, the Log4Shell vulnerability in the Log4j library provides a way to bundle a command into a message that looks like an event log, send it to your potential victimās log collector, then initiate a takeover,ā Byres explains. The Log4j vulnerability is of particular concern because its use is extremely widespread, the exploit is trivial, plus itās used in very high level, mission-critical servers. āItās Solar Winds without the Russians,ā Byres adds.
On a positive note, few level-one industrial controllers are likely to be directly compromised by the vulnerability since they donāt do much logging and usually arenāt programmed in Java. But applications at levels two through fourāHMI software on upāare another story entirely.
"At this time, we have not seen the use of Log4Shell resulting in significant intrusions,ā said Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), at a Jan. 10 press briefing. āThis may be the case because sophisticated adversaries have already used this vulnerability to exploit targets, and are just waiting to leverage their new access until network defenders are on a lower alert.ā
Because Log4j is a piece of open-source code that developers routinely embed in a larger piece of application software, its vulnerability has shined new light on the chronic need to better manage software development supply chains. The increasing use of software bills of materials (SBOM), which essentially list all software componentry embedded in a particular application, are an important first step to determining if Log4j is present in an application. āFor a current product, itās relatively straightforward,ā Byres notes. āBut what if itās a product thatās even five years old? Vendors are as blind as the asset owners as to where the bug of the week might be.ā
Further complicating matters from a practical perspective, āThe presence of a vulnerability does not equate to exploitability,ā says Ron Brash, VP of technical research and integrations at aDolus. He estimates that only 10-20% of vulnerabilities are exploitable. āIn order for the vulnerability to be exploitable, the attack packets have to be able to get to it,ā Brash says. āAnd if the vulnerability isnāt exploitable, leave well enough aloneāevery patch is a risk and every change needs to be managed.ā
Ā Ā To help address and manage these issues, aDolus is participating in an industrywide effort to develop application-specific Vulnerability Exploitability eXchange (VEX) documents that complement SBOMs by adding a measure of risk assessment to the unfiltered list of vulnerabilities that the SBOM represents. āThe thought behind VEX is a standard, machine-readable way for vendors to tell their customers which vulnerabilities are actually riskyāand which ones aren't,ā Byres says.
Meanwhile, Brash and Byres recommend that asset owners concerned about the Log4j vulnerability consult their software suppliers to determine if vulnerable versions of the library are included in their applications. If that pursuit proves unproductive, aDolus has already tested many applications for Log4j using AI-assisted methodologies and has generously offered to share its knowledge of what OT applications include Log4jāor scan yours if they havenāt alreadyāfree of charge. Theyāve also established a useful resource page on the Log4j issue at adolus.com/vulnerabilities/log4j/.
Stay vigilant, my friends.