Question: How do I find servers in my organization that have the vulnerable Log4j component?
For enterprise IT and security teams tasked with updating Java applications containing the vulnerable Log4j, the difficult part is accurately assessing whether they have any affected applications in the first place.
Block the Traffic
One thing that organizations can do while they are investigating is to use the firewall rules to block suspicious egress traffic, says Casey Ellis, founder and CTO of Bugcrowd. “When the first-stage of Log4Shell is triggered, this triggers a lookup to an attacker-controlled server,” Ellis says. The lookup, which retrieves the second-stage Java payload or exfiltrates sensitive information, can use a variety of JDNI-supported protocols, including LDAP and DNS. Those are the protocols to pay attention to.
“Blocking systems with Log4J on them from egressing a network in this way mitigates retrieval of the second-stage, and limits to potential for data exfiltration via successful first-stage execution,” Ellis says. “We’ve seen both bounty hunters and malicious attackers using DNS as the preferred mechanism for data exfiltration, as DNS egress from a network is very rarely blocked – It is either allowed to pass through a firewall, or is passed forward by resolvers.”
There are very limited circumstances under which LDAP traffic should be leaving the network, so blocking this type of traffic ensures that attacks are blocked.
Tools for Finding Systems
Several vendors have released different tools to help organizations find vulnerable applications and systems. One interesting tool comes from Thinkst Canary. Users can create a DNS-based token on the CanaryToken interface, which they add into the jndi:ldap string. This string can be pasted into search boxes and fields that will potentially be parsed by logging libraries. If the system is vulnerable, the Canarytoken will email the vulnerable server’s hostname, the company says.
“We see this as a quick hack to help defenders through some pain,” Thinkst Canary said on Twitter.
Source: www.darkreading.com