Until two weeks ago, Log4j was just a popular Java logging framework, one of the numerous components that run in the background of many modern web applications. But since a zero-day vulnerability (CVE-2021-44228) was published, Log4j has made a huge impact on the security community as researchers found that it’s vulnerable to arbitrary code execution. 

The good news is that the Apache Software Foundation has already fixed and rolled out the patch for the vulnerability. On top of the patch, thanks to SCADAfence's research and R&D team, our latest build supports the detection of Log4j exploit attempts.

Quick Recap of CVE-2021-44228 in Log4j

Log4J is an unauthenticated remote code execution (RCE, code injection) vulnerability in the popular Log4j logging framework for Java. By exploiting it, the attacker can easily execute any code from a remote source on the attacked target. NIST has given this vulnerability (CVE-2021-44228) a score of 10 out of 10, which reflects its criticality.

Over 3 billion devices run Java, and because there are only a handful of logging libraries, many of them are likely to run Log4j. Worse still, many internet-exposed target applications can be exploited by external users without authentication. 

Over the past two weeks, major OT vendors disclosed the security impact of this vulnerability on their software and equipment, and additional disclosures will continue as vendors work to identify the use of Log4j across their product lines. Originally, the Log4j vulnerability made it challenging to identify potentially impacted servers on a given network. For OT networks that have incorporated network segmentation, the risk from these protocols can be mitigated to an extent.

How To Ensure That Your Systems Are Safe

First, it's important to understand that the root cause of this issue lies within the Log4j library. The Apache Software Foundation released an emergency patch for the vulnerability. You should upgrade your systems to Log4j 2.15.0 immediately or apply the appropriate mitigations.

Our OT security threat intelligence database learns about the different behavior to highlight activities attempting to leverage this vulnerability and to provide remediation guidance. Our customers are notified of log4j exploit attempts, and also on any anomaly detected by our anomalies engine. but our customers are already protected simply based on the efficacy of our anomaly detection.

The SCADAfence Platform, the Governance Portal, and the Multi-Site Portal do not use Log4J or the Apache server, and thus SCADAfence product installations are updated and secure from the Log4J vulnerability. Customers do not need to take action for any of our on-prem or hosted web solutions.

At SCADAfence, we felt network segmentation wasn’t enough to fight off the critical vulnerability. The latest build of the SCADAfence Platform detects and allows SCADAfence customers to leverage our OT security threat intelligence service to ensure they can patch and mitigate this exploit in any of their OT devices.

Log4J (6)

The SCADAfence Platform Detects & Alerts if an OT Asset is Vulnerable to the Log4Shell Vulnerability

We’ve updated our log4shells/log4j exploit detection inside the SCADAfence Platform as we have maneuvered ahead. We added CVE signatures to our database which detect and alert RCE (Remote Code Execution) exploits. 

The following CVEs were added to the SCADAfence database to correlate and alert of vulnerable OT assets: 

  1. CVE-2021-44228   
  2. CVE-2021-45046 
  3. CVE-2021-4104
  4. CVE-2020-9488
  5. CVE-2019-17571
  6. CVE-2017-5645

How Can You Deploy The Latest Version of SCADAfence

The latest version of the SCADAfence Platform which detects the CVE signatures relating to the vulnerability is available in build 6.6.1.167. To get the latest version, please contact your customer success representative.

If your organization is looking into securing its industrial networks, the experts at SCADAfence are seasoned veterans in this space and can show you how it’s done. 

To learn more about SCADAfence’s array of OT & IoT security products, and to see short product demos, click here: https://l.scadafence.com/demo