Log4shell Vulnerability: Advisory Notice

Introduction

The world's press over the last few days have been talking about a vulnerability that is potentially extremely dangerous to all organizations due to its easy exploitability. This vulnerability has been labelled Log4Shell and occurs when a vulnerably logging utility called Log4j is used by an application, service, or system.

Are you vulnerable?

If there is a system, application, or service with version 2.0 to 2.14 of the Log4j utility on it, that system, application, or service is vulnerable. If that system, application, or service is exposed to the public internet then attackers will try and exploit it.

What are we doing?

When we picked up news of the vulnerability, we contacted vendors of software tools to ensure they were not using Log4j. The few tools that were affected by the vulnerability we immediately took remediation action as outlined by the vendors and adversaries about the vulnerability to ensure the vulnerability could not be exploited.

In addition to checking our own network and support tools we started scanning client machines where we have responsibility for maintaining them to identify occurrences of the Log4j application. On the limited number of machines identified as having that application we verified if it was a vulnerable version, so far, we have not found that client machines we are responsible for are vulnerable to this attack.

We are also monitoring information we have on client networks and where we suspect they may be vulnerable services, applications, or systems we have advised those clients.

What can you do?

Although we are doing our best to protect ourselves and our clients, we do not always have full visibility of 3rd party systems, services, or applications such as CCTV, building access control, HVAC systems, etc. These systems may be vulnerable, and we recommend that all our clients contact those 3rd parties to see if their systems are vulnerable and what remedial action is required.

If the status is unknown, we recommend that systems are examined for the presence of the Log4j files, this can be achieved with access to the systems and running simple file finding commands in Windows or Linux to recursively search the file systems.

Final recommendations

To remediate these and future threats we recommend the following: -

·      All systems including third party systems are patched and maintained to the latest versions of OS and application

·      Systems should not be exposed to the internet unless necessary and if exposed should be protected by whitelisting those who can access it and the deployment of MFA (multi-factor authentication).

·      Outbound traffic should be limited to those systems that require it and only to whitelisted remote systems

·      Regular vulnerability scanning of exposed systems should be conducted

·      The deployment of DNS protection on the perimeter of networks to filter malicious requests through the use blacklists of known malicious addresses.