How does Holm Security support detection of the Log4j (Log4Shell) vulnerability?

Avatar
Amil Sefo
Follow

This article will be updated when more information is available.

Updates about vulnerability tests 

2021-1-26 13:25 GMT +1

HID table updated (marked new), please see the end of the article.

 

Information about the vulnerability Log4j

General information

CVE-2021-44228 is a Remote Code Execution (RCE) vulnerability impacting Log4j version 2. The vulnerability is also known as Log4Shell.

Log4j is a common logging framework for Java-based applications which can be implemented by anyone who chooses to do it. Hence the impact of this vulnerability is widespread and impacts platforms and individual applications. 

Read more about this vulnerability in our blog.

How to scan for this vulnerability

To check if your systems are affected by the Log4j 2 vulnerability you will need to run an Authenticated Network Scan using Holm Security VMP.

You will find detailed information about setting up your authenticated scanning profile in this article:
https://support.holmsecurity.com/hc/en-us/articles/212841809

And you can find more information in this section:
https://support.holmsecurity.com/hc/en-us/sections/360002955531-Authenticated-Network-Scans

If your system is vulnerable, you will find one of the following HIDs in your generated scan report depending on your OS:

  • HID-2-1-371879
  • HID-2-1-371866
  • HID-2-1-026309
  • HID-2-1-939587
  • HID-2-1-341380 (can be run unauthenticated, only on external scan nodes)
  • HID-2-1-341387
  • HID-2-1-341388
  • HID-2-1-341389
  • HID-2-1-371872
  • HID-2-1-341381
  • HID-2-1-341395
  • HID-2-1-341383
  • HID-2-1-341382
  • HID-2-1-5348677 Apache Log4j Version Detection (Windows) Authenticated
  • HID-2-1-5348688 (run unauthenticated, only on external scan nodes)
  • HID-2-1-5348682 (run unauthenticated, only on external scan nodes)
  • HID-2-1-5348681 (run unauthenticated, only on external scan nodes)
  • HID-2-1-5348680 (run unauthenticated, only on external scan nodes)
  • HID-2-1-5348683 (run unauthenticated, only on external scan nodes)
  • HID-2-1-5348686 (run unauthenticated, only on external scan nodes)
  • HID-2-1-5348685 (run unauthenticated, only on external scan nodes)
  • HID-2-1-5348689 (run unauthenticated, only on external scan nodes)
  • HID-2-1-939589 
  • HID-2-1-371836 
  • HID-2-1-371835 
  • HID-2-1-043901 
  • HID-2-1-043927 
  • HID-2-1-371827 
  • HID-2-1-5348693 
  • HID-2-1-5348694 
  • HID-2-1-371816 
  • HID-2-1-5348690 
  • HID-2-1-341309 
  • HID-2-1-5348691 
  • HID-2-1-5348698 
  • HID-2-1-5348687 
  • HID-2-1-079625 
  • HID-2-1-043933 
  • HID-2-1-079624 
  • HID-2-1-5348675 
  • HID-2-1-5348628 New
  • HID-2-1-5348617 New
  • HID-2-1-5348621 New
  • HID-2-1-5348699 New
  • HID-2-1-5348604 New
  • HID-2-1-5348619 New
  • HID-2-1-5348610 New
  • HID-2-1-5348613 New
  • HID-2-1-5348607 New
  • HID-2-1-5348614 New
  • HID-2-1-043947 New
  • HID-2-1-043943 New
  • HID-2-1-341318 New
  • HID-2-1-341317 New
  • HID-2-1-341302 New
  • HID-2-1-341303 New
  • HID-2-1-939581 New
  • HID-2-1-079632 New
  • HID-2-1-026319 New
  • HID-2-1-5348620 New    
  • HID-2-1-5348618 New     
  • HID-2-1-5348629 New   

Released

  • ArcGIS Server Log4j RCE Vulnerability (000026951)- CVE-2021-44228
  • Cisco Identity Services Engine Log4j RCE Vulnerability (CSCwa47133)
  • Cisco Unified Communications Manager IM & Presence Service Log4j RCE Vulnerability (CSCwa47393)
  • Cisco Unified Communications Manager Log4j RCE Vulnerability (CSCwa47249)
  • IBM WebSphere Application Server Log4j RCE Vulnerability(6525706, Log4Shell)  - CVE-2021-44228
  • Ubuntu log4j Vulnerability CVE-2021-44228
  • Elastic Logstash Multiple Log4j Vulnerabilities (Dec 2021)
  • Apache Log4j 2.0.x Multiple Vulnerabilities (Linux/Unix, Log4Shell) - Version Check
  • Apache JSPWiki 2.11.0 Log4j RCE Vulnerability (Log4Shell) - Active Check
  • Apache JSPWiki 2.11.0 Log4j RCE Vulnerability (Log4Shell) - Version Check
  • Apache Log4j 1.2.x RCE Vulnerability (Windows, Dec 2021) - Version Check
  • Apache Log4j 1.2.x RCE Vulnerability (Linux/Unix, Dec 2021) - Version Check
  • Ubuntu: Security Advisory for apache-log4j2 (USN-5192-1)
  • Fedora: Security Advisory for log4j (FEDORA-2021-f0f501d01f)
  • Ubuntu: Security Advisory for apache-log4j2 (USN-5197-1)
  • Apache Log4j 2.0.x Multiple Vulnerabilities (Windows, Log4Shell) - Version Check
  • Fedora: Security Advisory for log4j (FEDORA-2021-66d6c484f3)
  • Fedora: Security Advisory for jansi (FEDORA-2021-66d6c484f3)
  • Apache Archiva < 2.2.6 Multiple Log4j Vulnerabilities (Log4Shell)
  • Apache Tika Server 2.x < 2.2.0 Log4j RCE Vunerability (Log4Shell)

VMware and Windows:

  • Apache Log4j Version Detection (Windows)
  • VMware vCenter Server 6.5, 6.7, 7.0 Log4j RCE Vulnerability (VMSA-2021-0028)
  • VMware vRealize Automation 7.6 and 8.x Log4j RCE Vulnerability (VMSA-2021-0028)
  • VMware vRealize Log Insight 8.2, 8.3, 8.4 and 8.6 Log4j RCE Vulnerability (VMSA-2021-0028)
  • VMware vRealize Operations 8.x Log4j RCE Vulnerability (VMSA-2021-0028)
  • VMware vRealize Orchestrator 7.6 and 8.x Log4j RCE Vulnerability (VMSA-2021-0028)
  • Wowza Streaming Engine Log4j RCE Vulnerability - CVE-2021-44228
  • Splunk Enterprise 8.1.x, 8.2.x Log4j RCE Vulnerability - CVE-2021-44228
  • Apache Solr 7.x, 8.x Log4j RCE Vulnerability - CVE-2021-44228
  • Cisco Webex Meetings Server Log4j RCE Vulnerability (CSCwa47283)

To scan for this vulnerability specifically you can set up a scan profile that includes the above HID specifically, for example:

 

mceclip0.png

 

How does the Active exploitation scripts works:

In our Active scripts, we try to exploit the log4j vulnerability and force scanned targets to initiate a connection request with our scanner. In the case of HTTP active exploitation, for example, we try to inject specially crafted payload into different HTTP headers. The payload will look in this manner:

mceclip0.png

ownip is IP address of our scanner
random_port is the port we choose to receive a connection to.
Note that you will need to whitelist port range 40000-41000 in your FireWall rules as these are port ranges used by Holm to receive a connection request for log4j exploitation.
Vulnerability is reported when our scanner has detected a connection request from the target IP to the scanner IP on the selected port.

Besides active exploitation plugins, Holm scripts can check for vulnerable log4j packages present on the target machine using authenticated scan.

Few examples of files that can be detected are:
    # log4j-core-java9-2.13.3.pom
    # log4j-2.13.3.pom
    # log4j-core-2.13.3.jar
    # log4j-core-2.13.3.pom etc

We also have a vast collection of enterprise applications coverage such as VMWare vCenter, VMWare vRealize, Splunk, Elastic Search, Cisco Webex, UCS, UCM, etc.

 

 

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.