At the end of last year a vulnerability in the Log4j software was reported. It caused concerns among users of connected devices, including security equipment. This article examines the extent to which it impacted security and how users can avoid it.
At the end of last year a vulnerability in the Log4j software was reported. It caused concerns among users of connected devices, including security equipment. This article examines the extent to which it impacted security and how users can avoid it.
In December of last year, the Apache Software Foundation announced that a new vulnerability for its Log4j software was found. It further said the vulnerability was classified “under the highest severity remark.” These remarks caused concerns among users of connected devices.
Log4j is a logging utility that is used to generate logs within a program. “Log4j is very prevalent throughout the IT industry as it is a very popular logging feature that is used at a lot of enterprises,” said Luke Bencie, MD, and Eric Dorn, Junior Associate, at Security Management International.
According to both, there is a vulnerability within Log4j, known as Log4shell, that exploits a feature which allows for the creation of custom code for log messages. “This exploitation allows for someone to submit a request for a code that is hosted on an LDAP server using JNDI (Java Naming and directory interface). JNDI then returns the malicious code to the app that uses Log4j, which can lead to malware being executed or an attacker gaining full control over a computer,” Bencie and Dorn said. “The reason why Log4shell is such a threat to organizations is that it can allow for a malicious actor to remotely execute code and compromise IT systems.”
How it affects security
Like other connected devices,
IP cameras and
NVRs can be vulnerable to the threat. “Any device that connects to the Internet is vulnerable to being compromised," Bencie and Dorn said. “The danger of Log4j is that a lot of applications and organizations use it as a means of generating log files. If the software that controls a physical security system uses log4j it might be vulnerable to an attack if the version of Log4j it uses is out of date.”
After the vulnerability was revealed, many security vendors jumped out to claim their products were free from the threat. However certain vendors were still affected. One major video surveillance solutions provider’s website, for example, noted that some of its security systems suffered “limited impact” from Log4shell.
Yet for users, this should not be a major source of concern as long as they update to the latest Log4j version, which fixes the problem.
“The widespread usage of Log4j means that many organizations have code that is dependent on Log4j generating logs and those dependencies pass values based on those logs to other dependencies and so on and so forth. This means that some organizations will have to remove this vulnerability and ensure that any dependencies that use log4j are updated or revised so that they are protected against this vulnerability,” Bencie and Dorn said. “Many IP-based security devices should only really be concerned about the log4j vulnerability if the software that controls them utilizes an older version of log4j.”
Bencie and Dorn also cited the Cybersecurity and Infrastructure Security Agency (CISA)’s recommendations for fixing the vulnerability:
• Identifying assets that have been affected by Log4j/Log4Shell
• Ensuring that assets are running newer versions of Log4j and that teams remain alert to vendor software updates.
• Use incident response procedures to detect possible Log4shell exploitation.
As well as Apache’s recommendations:
• Removing the Log4j lookup feature
• Add new rules to your Web App Firewall to block potentially malicious inbound requests and restrict egress over port 1100 to untrusted domains[3]
• Replace affected classes (remove LDAP class from Log4j)[4]
“The implementation of a control that scans for known vulnerabilities against a database of known vulnerabilities would be a great way to find out if your organization is at risk of an attack that uses Log4j as its vector,” Bencie and Dorn said. “Implementing these fixes in conjunction with observing best practices for IT Governance and Risk Management should help organizations protect themselves against a Log4j attack.”