How do I scan for the Log4j vulnerability (Log4Shell)?

Follow these instructions to create a network scan profile for detecting the Log4Shell vulnerability.

1. Login to Security Center.
2. Click Scan network in the main menu.
3. Click Scan profiles.
4. Click +Add scan profile>Vulnerability profile
5. Under the headline General information enter the following:
   • Name: the name of the profile, e.g. Standard scan profile.
   • Owner: the owner of the schedule.
   • Details: any comments or a brief description of the profile that you want to add.
6. For settings under tabs, Scan settings:
   • Unauthenticated scanning:
     • Mark the discovery scan.
     • scroll all the way down to the Vulnerability Detection and choose Custom.
       • In the Vulnerability section insert each of the HIDs for non-authentication Log4jShell test separately:
         
   • Authenticated scanning:
     • scroll all the way down to the Vulnerability Detection and choose Custom.
       • In the Vulnerability section insert each of the HIDs for the Log4jShell vulnerability separately:
         
     • At the moment, we have multiple tests to detect the Log4Shell vulnerability:
       
       • HID-2-1-341383
       • HID-2-1-341381
       • HID-2-1-341382
       • HID-2-1-371872
       • HID-2-1-371879
       • HID-2-1-371866
       • HID-2-1-026309
       • HID-2-1-939587
       • HID-2-1-341380
       • HID-2-1-341389
       • HID-2-1-341395
       • HID-2-1-341383
       • HID-2-1-341382
       • HID-2-1-5348677
       • HID-2-1-5348688
       • HID-2-1-5348682
       • HID-2-1-5348681
       • HID-2-1-5348680
       • HID-2-1-5348683
       • HID-2-1-5348686
       • HID-2-1-5348685
       • HID-2-1-5348689
     • The Profile should look similar to this image:
       
7. Under the headline, Authentication:
   Here you can enter a new authentication record or choose an existing one for Windows and Linux/Unix. Notice that you can only have one authentication record per profile and operating system.
   • Linux/Unix authentication record
     • Authentication information 
       The authentication information will be the name you type in.
     • Name 
       Select a name.

        

     • Port

       • Type in if you want to use a certain port for your authentication, otherwise, the standard port 22 will be used.

       • Choose if you want to authenticate with either username and password or by using a private key, type in your credentials, and you are done.

   • Windows authentication record

     • Authentication information
       The authentication information will be the name you type in.

     • Name

       • Select a name.

       • Type in the credentials you would like to use for your authenticated scan.

       • Check “Use NTLM” if you are using the NTLM protocol to authenticate your domains.

         Read this for more information regarding authenticated network scans:
         https://support.holmsecurity.com/hc/en-us/articles/360019811432-How-does-authenticated-networks-scans-work-

8. Click OK to save the scan profile. 
9. Click SCANS in the Scan network menu.
10. Click +Add Scan>Vulnerability scan
11. Under the headline General information enter the following:
    • Name: the name of the Scan, e.g. Log4Shell.
    • Scan profile: Choose your recently created scan profile that has the right login credentials for the Host you want to scan.
    • Scanner Appliance: Choose either:
      • External (Holm Scanner Appliance).
      • Scanner Appliance (Your local installed Scanner Appliance).
12. Under the headline, Target enters the IP or IP range that you want to scan.
13. Click Run to start the scan.
14. Done!

Note! To check if your systems are affected by the Log4Shell vulnerability you will need to run an Authenticated Network Scan using Holm Security VMP.

You can only use the HID-2-1-341380 with Non-Authentication (Works only with the External Scanner  Appliance).