Hooded computer hacker showing cybersecurity vulnerability Log4j scanners

CISA and Other Third Parties Publish Log4j Scanners To Detect Log4Shell Vulnerabilities but Most Fail To Identify All Instances

The Cybersecurity and Infrastructure Security Agency (CISA) released a Log4j scanner to assist organizations to identify potentially vulnerable systems.

Additionally, CISA published a list of other third-party scanning solutions from members of the open-source community, including FullHunt’s scan tool that the agency modified with assistance from open-source community members.

Similarly, CISA, the United States National Security Agency (NSA), the Federal Bureau of Investigation (FBI), the NCSC-UK, Canadian Centre for Cyber Security (CCCS), Australia’s ACSC, CERT NZ, and NZ NCSC issued a joint advisory. The directive guides organizations on mitigating CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 critical vulnerabilities in the Apache Log4j library.

Attackers could leverage CVE-2021-44228 and CVE-2021-45046 to execute arbitrary code on the victim’s LDAP server and take over the system and CVE-2021-45046 to execute denial of service (DoS) attacks. Ransomware groups, nation-state actors, and crypto-miners have exploited the vulnerabilities to compromise networks.

CISA’s Log4j scanner covers more test cases

The agency indicated that its Log4j scanner emerged from a collaboration with the broader open-source community and updated by CISA developers and contributors to cover more scenarios.

According to CISA, the “Log4j scanner is a project derived from other members of the open-source community by CISA’s Rapid Action Force team to help organizations identify potentially vulnerable web services affected by the Log4j vulnerabilities.”

Unlike other Log4j scanners with 3-4 headers, CISA’s tool covers over 60 HTTP request headers, supports DNS callback for the Log4shell vulnerability discovery and validation, lists of URLs, WAF Bypass payloads, and fuzzing for HTTP POST data and JSON data parameters.

In the joint cybersecurity advisory, the agencies direct public and private organizations to identify and patch the critical vulnerability in the Log4j library used in applications, review their security posture, and report compromises to the FBI or CISA. Additionally, vendors should inform their end-users of vulnerable products.

Most published Log4j scanners fail to detect vulnerabilities across file formats

In addition to CISA, the CERT Coordination CenterCrowdStrikeTenableTrend Micro, and other cybersecurity firms released similar Log4j scanners to detect vulnerabilities in Log4j deployments.

Meanwhile, Rezilion tested several Log4j scanners and discovered that they had varying degrees of effectiveness. According to the company’s security researcher Yotam Perkal, most Log4j scanners failed because Java files could be packaged several layers deep into other files in different formats.

Surprisingly, they discovered that out of nine frequently used Log4j scanners tested, none could detect vulnerability in all file formats. Additionally, Rezilion noted that various Log4j scanners had blindspots and were limited by the detection, method making them less effective.

“Security leaders cannot blindly assume that various open-source or even commercial-grade tools will be able to detect every edge case,” Perkal wrote. “And in the case of Log4j, there are a lot of edge instances in many places.”

Similarly, CISA acknowledged the limitation of its Log4j scanner, adding that there were other use cases that threat actors could exploit Log4j vulnerabilities. Consequently, the agency’s Log4j scanner carried a disclaimer that the information and code in the repository was provided on the “as is” basis.

However, despite their shortcomings, the Log4j scanners would assist organizations to reduce the attack surface that threat actors could use to compromise various organizations.