Need for Prioritized Remediation of Log4Shell Vulnerabilities Will Remain Critical; Mozilla Advances Browser Global Privacy Control; Patching Needed for Critical Vulnerabilities Across Apple iOS and iPadOS Devices

CVE-2021-44228, or log4shell as the vulnerability has been named, has kept us all pretty busy this weekend. We have only seen the beginning of what will be a vast effort to protect from this vulnerability. Most attacks are currently attempting to very simply “spray” the exploit string into frequently logged fields. Over time, attackers will get better at targeting specific software packages. We have seen a bit of this with VMware vCenter. Affected security tools present a huge target attackers will not miss to exploit. Dealing with log4shell, make sure to preserve your notes. History has shown that once a high profile vulnerability like this is found, people will look for similar issues in other tools, and also take a deeper look at the affected library. JNDI is not unique to log4j and a well-known issue. Another "lesson learned" of this still evolving incident: Secure configurations matter. The vulnerability may be mitigated by disabling the risky JNDI feature, and it looks like log4j will start shipping with it disabled by default. But for now: patch... patch... patch...

Johannes Ullrich

If you’re using Log4J 1.x, it is no longer supported, and you need to move to Log4j 2. Update to at least Log4J 2.16. Even so, you need to take actions to ensure you’re secure. Enumerate your externally facing devices with log4j installed, make sure your SOC is monitoring all the alerts from them and configure a WAF to reduce the attack surface and volume of alerts. If you have applications developed in Java and you have been contemplating migrating them to another technology you may want to execute that plan, particularly if you no longer have your Java expertise.

Lee Neely

What makes this vulnerability so unique is just how ubiquitous it is (if your system, application or device is logging it could be vulnerable) but what is also unique is the attack surface. For this attack you are not remotely connecting to a specific port for a specific application, instead you are attacking any input that logs that input, such as connections to a Webserver, email filtering, etc. For an excellent overview of the attack and defenses, check out the webcast by SANS and instructors. https://www.youtube.com/watch?v=oC2PZB5D3Ys

Lance Spitzner

When Log4j was introduced, it provided visibility and logging capabilities to our Java applications and services which we all leveraged and it is now included in many packages and distributions, meaning you’re going to have to work to make sure that it’s updated everywhere, particularly where embedded and you’re reliant on a third-party update. You need to take active steps to monitor and protect yourself, as well as verify you’re not already compromised. When you’re done updating, don’t turn off the monitoring.

Lee Neely

It’s also important to note that if you scan for this vulnerability and discover your system is patched, make sure it was you who applied that patch. Criminals are known to patch systems they compromise to prevent others from doing the same.

Brian Honan

Consumer demand for increased privacy online is becoming more important to many businesses than regulatory pressure. Many software architects at consumer-facing software companies are seeing support for privacy as one of their high priority product requirements, not something security or legal teams are jamming in. As browser software vendors, Google and Mozilla are the initial touchpoint for those demands from consumers and they are both doing a good job of raising the bar on protecting users and their data.

John Pescatore

This allows the browser to send a GPC opt-out signal to the far-end web site, but that web site has to have implemented code to respond to that signal, which is unlikely in areas where the legislation doesn’t apply. (E.g., not in California, Colorado, or the EU.) As this control expects the web server to have implemented controls, even when we see widespread adoption of response to GPC signals, it’s not clear this will truly be effective privacy control.

Lee Neely

The iOS, iPadOS, watchOS, tvOS and HomePod updates fix numerous RCE, Information Disclosure and Privilege Escalation flaws. You’ll want to push this out before the holidays. The new iOS App Privacy Report (in settings under Privacy) shows which apps are accessing which sensitive items like photos, contacts, and location as well as network activity. Use this to make sure that you don’t have untended access and adjust permissions accordingly. The communication safety settings are under the Screen Time settings group and can be controlled via a separate passcode. Screen Time settings can also be shared across devices. The service is, by default, not enabled.

Lee Neely

While well intentioned, the "communication safety" mechanism is likely to produce unintended consequences.

William Hugh Murray

I am always fascinated by what is done with an exploit. One hopes you’d detect the impact of a crypto miner immediately, but what about other anomalous behavior? Ask yourself if you have enough information about what normal is to detect changes. There are multiple lists of Log4Shell IOCs, there is a free one on GitHub you can leverage. https://github.com/curated-intel/Log4Shell-IOCs

Lee Neely

One of the services provided by Kronos is running payroll on behalf of their clients, this service has also been impacted. Have you considered in your BCP how your organization would manage its payroll in the event of those systems being disrupted? If not, now is the time to look into that.

Brian Honan

Did you fully account for your HR or other workforce systems being offline for several weeks in your continuity of operations (COOP) plan? While the timing is never good to enact your continuity plan, the holidays this month and next provide options for time accounting which may make it easier to bridge that gap, you’re going to want to tabletop all workforce management actions to see what has to wait and what has a workaround.

Lee Neely

While the vendor's advice to "implement alternative business continuity protocols" may seem trite, business continuity planning is absolutely still a thing – even though we've pushed so much to SaaS/PaaS/etc. Thousands of healthcare, law enforcement, and retail organizations are whipping up Excel sheets this week to keep up operations. You always need a Plan B! Be sure to include any single point of failure in your tabletop exercises.

Christopher Elgee

This report from PWC is an excellent read for anyone involved in cybersecurity with lessons and recommendations that many organizations should take on board. Huge kudos to the HSE for publishing this report even though they were not required to do so. Open and transparent sharing of post incident reports is a key tool in us all ensuring the security and safety of our systems and the Internet.

Brian Honan

This report describes factors and warning signs that were missed. Look at these to see if you’ve have missed anything. Is your endpoint-protection/anti-malware service in active blocking mode? Do you have any legacy operating systems? If so, how are you protecting them? Is your network protected from them? Are you only focused on user endpoints for security or are you including servers – particularly domain controllers? Specialized servers like these are good candidates for explicit allow and deny execution controls. How is your segmentation? Is it still intact, or has it been weakened by many exceptions? Be sure to look at resources in your sector ISOC, CISA, etc. which can provide assistance/expertise to help your budget and resources go further.

Lee Neely

When the update is pushed Chrome has to be relaunched, monitor to make sure that happens within an acceptable window if you’re not stopping Chrome when deploying the update. While the update is scheduled to be released over a few weeks, double check to see if you can’t already download the updated version for your clients.

Lee Neely

Until Hillrom updates are released and deployed, disable SSO on those products, ensure you’re isolating them from the business network and other systems, only allowing access by authorized systems and users, to include not exposing them directly to the Internet.

Lee Neely