On Dec 9, 2021, security researchers published exploit details on a high risk vulnerability affecting the widely used software package Apache Log4j. Attackers can leverage this vulnerability to gain full control of affected internet-facing systems using simple attack methods, allowing for easier ransomware and malware deployment. Given widespread usage of Log4j, it’s not surprising to see security professionals label this as “the single biggest, most critical vulnerability of the last decade.”
While Apache has released a security fix, the Log4j vulnerability will likely pose danger to companies for years to come. Not only is comprehensive identification and mitigation of affected systems challenging, companies can remain vulnerable if a partner organization or software vendor used has yet to fully address their own Log4j vulnerabilities.
On Dec 16th, the security firm, Blumira, discovered a new variant of the Log4J attack that can infect vulnerable services and applications inside a company’s firewall. This variant allows attackers to target internal applications directly and makes Log4J exploitable through phishing, drive-by websites, and ad networks. With a single click by an unsuspecting employee, an attacker may be able to compromise systems and gain network access by exploiting Log4j through WebSockets. Since this attack is deployed through client-side Javascript, perimeter network firewalls and endpoint protection will be largely ineffective in stopping this threat. Analysis of this attack chain shows that only browser-level security can thoroughly neutralize all permutations of this attack.
Paladin’s security team is actively working with clients to holistically address their Log4j vulnerabilities. All Paladin Shield users have access to:
- Automated exploitability assessments
- Scanning/detection tools to identify affected systems
- Protection against WebSocket based Log4J exploits
Paladin Shield v9.1.0 disables WebSocket (ws://, wss://) connections to private IP addresses and localhost unless the initiating webpage is also hosted on a private IP address or localhost. This fix will stop targeting of vulnerable Log4J services from a Paladin Shield secured browser while preserving functionality for internal web apps and developers. All Paladin Shield installations from the Chrome/Edge/Mozilla store will automatically update to the latest version.
Due to the severity of the Websocket based Log4j attack vector, we have also released WebSocket Log4j Exploit Immunizer as a free, open-source browser extension. This extension works in the background to protect users against WebSocket based Log4j exploits. WebSocket Log4j Exploit Immunizer is meant to be used as a complement to other remediation efforts. We strongly advise all companies to update all local and internet-facing environments to Log4j 2.17.0 at the earliest opportunity, deploy a web application firewall with Log4J rules, and thoroughly review/test environments for exploitability and indicators of compromise.
To learn more, please reach out to contact@meetpaldin.com.