Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
solo.io / SoloCon 2022 / 5 May 2022
solo.io / SoloCon 2022 / 5 May 2022
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: SoloCon 2022 [Lightning Talk]: Log4Shell Meets Its Match - Remediation Approaches & Lessons Learned

Description

SoloCon 2022:
[Lightning Talk] Log4Shell Meets Its Match: Remediation Approaches and Lessons Learned

Speakers:
Jim Barton
Field Engineer, Solo.io

Will McKinley
Field Engineer, Solo.io

Abstract:
Review the anatomy of a Log4Shell attack. Discuss how Solo customers can protect against it and similar attacks with policy-based solutions that require no changes to protected systems.

Track:
Community and Open Source

A

And then next up, please help me welcome our next lightning talk, presenters, jim barton and will mckinley to the stage they'll be joining us to talk about log for shell attacks and mediation approaches so over to you, jim, and will.

B

All right, thank you, rose good day, everyone, uh we hope you're enjoying day one of solocon 2022..

B

So my name is jim barton and I'm a field engineer in north america, with solo.I o joining me today is will mckinley, who is also a solo field. Engineer today will, and I are going to dive into the log for shell vulnerability and discuss approaches for addressing it with solo products. I'll explore blocking malicious requests at the ingress point of your application network using blue edge will then walk us through defeating log for shell, by blocking egress from our applications to an attacker's server using istio and glue mesh.

B

Let's start with some background on the log for shell attack itself. So in late november of 2021, the alibaba cloud security team reported a zero day. Remote code execution exploit that targeted the wildly popular log4j logging framework well by early december, this exploit had been weaponized and deployed widely across the internet. Shortly after that, headlines began screaming the internet's on fire, and so a number of systems from prominent tech organizations were compromised and emergency response teams from around the world scrambled. To respond to this.

B

It's a serious issue and that's why the cve for the log for shell vulnerability was given a criticality score of 10 out of 10, which is of course the highest you can get.

B

Some of the analogies that have been published for this attack are pretty entertaining my favorite. Is the scotch tape analogy? Imagine they suddenly discovered scotch tape spontaneously explodes you throw out your scotch tape rolls? Then you realize you already have tape deployed everywhere. So this analogy highlights one of the most insidious characteristics of this vulnerability.

B

You might assume that you can simply scan your own systems and look for direct use of a vulnerable version of log4j there's much more to it than that. Not only does direct use of log4j put you at risk, but any system that depends on a library that uses log4j could also be exploited.

B

So how does a log for shell attack work? This diagram from the swiss government's computer emergency response team illustrates the anatomy of an attack quite nicely. The key to the attack is that a special string is passed to an application via a common mechanism. Maybe a request header, maybe a parameter on a request path or maybe via a posted message. Payload, and this string conforms to a specific syntax that log4j interprets as a request for a lookup substitution.

B

Now, most of the time, those substitutions are completely harmless. For example, log4j supports a time lookup. So you add a message to the log saying that you want the time to be displayed in a particular format and log4j will replace your time request with the actual time that the message was logged.

B

But what happens in a log for shell attack is that a different type of substitution is requested, most commonly the attacker requests a jndi substitution, although other protocols like rmi, have been exploited as well, and when an unpatched version of log for j sees this gen d substitution string in a log message, it interprets that, as a request to look up a java object on a remote server. Now, if that server happens to be controlled by an attacker, then it can serve up malicious java classes that will be executed by the application.

B

When that happens, the attacker can potentially exfiltrate sensitive data from the application, or just generally create a lot of mischief on the compromise system. So, in short, if number one, the attacker passes in a malicious string through a common web application parameter and number two. If your java application logs that string or passes it to a java library that logs the string and number three, if your log4j instance interprets that malicious string and executes a remote request say to agendy server, then your application is dangerously compromised.

B

So, let's turn our attention to some remediation remediation strategies. We want to address two questions here, number one: if the internet's on fire, how can we douse the flames? How do we fix the immediate problem and number two, and perhaps more importantly, at this point?

B

How can we prevent fires like this in the future, because this is not the first attack of its kind and it certainly won't be the last sql injection attacks have been around for almost a quarter century now and they operate on exactly the same principles as log for shell attacks. A malicious string is processed through a valid input mechanism and it causes an unintended execution sequence in the application.

B

Javascript injection attacks follow the same pattern as well. So how do we stop it? How do we prevent it going forward, or at the very least, how can we lay a foundation that will make it easier to stop next time? Well, at a fundamental level, we have three opportunities to respond to these attacks number one. We can intercept the malicious request when it enters our system. This leads us to technologies like web application, firewall that we'll discuss in more detail shortly number two: we can interrupt the processing of the malicious requests in our application servers.

B

We might do that by patching log4j or perhaps reconfiguring it to disallow remote lookups number. Three. We can block the outbound requests that attempt to reach the attacker's server. So those are our options, let's begin by considering the middle option for blocking the request processing of the of these malicious requests internally.

B

I start here because that's where I've seen a lot of focus in the enterprise in the enterprise over the last couple of months, and it involves activities like asking developers to inventory their applications and identify vulnerabilities or perhaps automating that activity using a variety of scanning technologies.

B

Then once vulnerable systems are identified, there's a process of applying the fixes that might include upgrading to newer log4j libraries or perhaps reconfiguring the version of log4j you're already using maybe even modifying application code to avoid dangerous features and then, of course those changes need to be regression tests tested, perhaps penetration, tested and then ultimately deployed.

B

I think we can agree that these are all pretty time-consuming and labor-intensive endeavors now don't get me wrong, they're important activities and they need to be carried out. But if you need rapid response to a zero-day exploit like log for shell, it's likely not the most efficient approach.

B

So, let's talk about an alternative which is to block request at the ingress point by leveraging the enterprise edition of the glue edge api gateway, specifically we'll look at its web application firewall facility for applying mod security rules directly on board the envoy proxy. So what is waf web application? Firewalls offer a standard mechanism to inspect incoming requests and apply a suite of mod security rules to ensure there's no malicious content.

B

It can be used to block many kinds of threats, attacks like sql injection and javascript injection, plus requests that come from blacklisted ip addresses and much more excuse me. The owasp organization even offers a set of curated popular mod security rules, called the core rule set that you can activate directly within glue edge and with glue edge. You confront an entire suite of applications using these rules without touching one line of code in the underlying applications.

B

That's the beauty of being able to apply policy at a single ingress point. We provide an example of how to achieve this on the blog post. That's linked on this slide. We don't have time to explore that in detail, but in short, there are two components of the solution.

B

First, you specify a set of mod security rules to block malicious input patterns, whether they're associated with log for shell attacks or other potential risks. Then second, you apply that rule set to a suite of services potentially at the gateway listener level, so that, with a single policy, you can protect an entire application network without touching a line of application code. That's some pretty powerful fire prevention right there for more details.

B

I invite you to check out the blog and walk through the complete example that it presents now I'll pass the baton to will mckinley to discuss an alternative approach for blocking log for shell attacks using blue mesh.

C

All right appreciate that jim, so jim did a great job of thoroughly explaining you know this exploit and how it works and also how to prevent it at the ingress point, and so what I'd like to focus on? Is you know from from the sense that you know, we know that this log for shell exploit had been sitting there for a long time before it had been discovered, and it's not going to be the last one that you encounter.

C

So one of the things that this has taught us is that you know these exploits can be pervasive um and we need to have strategies to mitigate um these exploits from actually taking effect within your clusters and within your systems. So, in effect, what we want to do is make sure we keep. The horses in the corral.

C

You'll also see a point out here to a blog, that's specific, to glue mesh, and what I'm about to go over here is going to touch on this subject. But if you want an in-depth example of how to prevent this, and also how to observe and test your policies to make sure that they work correctly, then take a look there, where you'll find not only a thorough explanation, but you'll also find a code repository link.

C

So let's take a look at some strategies of what you can do to block outbound requests, both with istio and with glue mesh if you're familiar with istio or, if you played with it at all.

C

What you do see is that you can very easily presume a posture of zero trust with it and one of the tools in your in your tool. Chest is uh this ability to set your outbound traffic policy so that you only go to the prescribed allowed urls that you create with service entries now glue. Mesh also has an abstraction for this, for any external destinations that that you're allowed to go to which is called a destination and that's equivalent to a service entry.

C

Now, if you were here with us uh for some of the earlier talks about workspaces, combine this with workspaces and you have a multi-tenant model in order to apply these destinations to your tenants.

C

Another thing that, if you're familiar with envoy or if you've looked at any of the configuration for istio once istio, creates a blocking rule for any outbound request that gets sent to a black hole cluster so that ah that automatically gives us a way to test and observe what's going on in your cluster.

C

So if you're, looking at a potential uh malicious agent that had been deployed into your cluster- and it was coming in to say pet clinic- which we have an example in the in the blog there and was trying to execute this jndi to some nefarious ldap server- that you could see that getting sent to the black hole cluster. But this is not the only thing that you need to do or think about when you're looking at blocking outbound requests or making sure you have a secure posture.

C

We also encourage you to exercise threat modeling so that you can understand vulnerabilities and a good threat model is always a great preventative measure, enforcing least privilege for workloads and understanding trust boundaries, not only within your network, but also across your tenants, your namespaces, the specific applications that are allowed to talk to each other within your cluster.

C

Now, last of all, I'd like to say as well that you know this registry only is a client-side policy. So if you want to enforce a cluster-wide policy, then using an egress gateway is the best solution for your security posture, but whatever you do make sure that you have a system that you can test these exploits in a in a safe way, be able to reproduce these, perhaps by deploying your own ldap server that you can do this exploits have to be observable, and using access logs is a great way at a minimum.

C

To do this, so adding on automation for exploits throughout your ci cd pipeline is mandatory, as well as taking advantage of glue, mash and glue edge.

C

Our conclusions and lessons learned you know obviously log for shell is a big problem here and we need more than just a software solution. We need platforms that are going to create policies for us to take advantage of, so that we can remediate unknown vulnerabilities and having the capability for quick remediation is key.

C

Glue, edge can apply policies that will block inbound requests uh and make sure that you're not at risks and then glue mesh can apply policies as well. That can block outbound requests from within your cluster. Should the attack uh happen from within and, lastly, observability and also all stress testability is foundational.

C

If you like what you heard today, uh please get in touch with us and see how we can help you protect against that next vulnerability. Thank you.

A

All right, thank you, jim and will so.