RCE. These three letters add increased levels of stress to cybersecurity professionals regarding vulnerabilities against their hardware or software within their risk management program.
RCE is an acronym for Remote Code Execution. This capability means an attacker can launch an exploit against a vulnerability to hardware or software and easily take control of the application or system to launch their commands without the user or cybersecurity professional knowing about it.
Vulnerability Severity Scoring
The National Institutes of Standards and Technology (NIST) maintains a listing of vulnerabilities and ranks them based on the severity of the vulnerabilities between 0 and 10. The Common Vulnerability Scoring System (CVSS) catalogs the individual vulnerabilities in the National Vulnerability Database (NVD) and attributes scores based on criteria that impact software.
There are groups of criteria: Base, Temporal and Environmental. The Base category reviews the vulnerability, which can remain consistent over time and various user environments. The Temporal group looks at the vulnerability over time, which can change, and the Environmental group provides characteristics that can be unique to a user's infrastructure or environment.
A score of one for a vulnerability will account for a low severity and low risk. A score between 9.0 and 10.0 is a critical severity vulnerability and is the worst kind and dangerous of vulnerabilities. In the history of NIST tracking vulnerabilities in their National Vulnerability Database (NVD), the critical vulnerabilities accounted for almost 20,000 exposures and RCEs or Code Execution, attributed to over 40,000 vulnerabilities of the total 170,000 vulnerabilities in their catalog.
A rating of 10.0 for a vulnerability allows an attacker to launch their code remotely, bypassing any authentication needed on the target system. The overall complexity is low for the attacker to implement the exploit against the vulnerability. Essentially anyone from a script kiddie to a nation-state could launch an exploit against a system and take it over without a lot of effort.
Log4j + RCE = Big Trouble
Log4j is a Java logging application that logs security and performance information within other java-based applications on a system. It is commonly found within the Apache web service environment. It is utilized worldwide in over three billion applications and systems. It essentially provided a backdoor for cybercriminals to easily gain access.
Just before the Thanksgiving holiday in November 2021, security researchers discovered a vulnerability of the Apache Log4j logging application.
The Log4j vulnerability became classified with a CVSS score of 10.0 and was assigned the identifier CVE-2021-45105. This vulnerability could allow anyone to submit a crafted network request to a system and take complete control to launch malware, ransomware or other malicious actions.
Best Practice & Sound Advice
The Critical Infrastructure & Security Agency (CISA) created a dedicated page on their site to the Log4j vulnerability to support organizations in their efforts to mitigate this new threat.
One of the first security rules is knowing the applications and systems within the organization's infrastructure and network. Failure to do so can result in a cyber attack, which happened to credit monitoring company Experian. They were fined over $700 million from the Federal Trade Commission (FTC) in its failure to reasonably mitigate the known software vulnerabilities as it broke several laws within the Federal Trade Commission Act and the Gramm Leach Bliley Act. The FTC created these laws to protect consumer data. It requires organizations to be aware of their systems and take reasonable actions to patch known vulnerabilities to protect against Log4j or other future vulnerabilities.
Many organizations impacted by Log4j, either as a user or developer, had a dedicated vendor page to list the applications or platforms affected for organizations to search and quickly determine their exposure.
Risk Reduction and Mitigating Actions
It is always a bad day when a Zero-day vulnerability is discovered, and it is worse when the NVD gives it a critical rating of 10. CISA provides excellent advice that supports many cybersecurity guidelines and standards for mitigating vulnerabilities.
- Review or discover all internet-facing systems which utilize the vulnerable application.
- Review or discover all systems within your organization that utilizes the vulnerable application.
- Patch all systems with the latest version when it becomes available.
- Test the patch on replicated, non-production systems to verify functionality.
- Patch all critical and internet-facing systems first to reduce the risk of attack.
- If systems cannot receive the patch, isolate them, and restrict communication and access until the risk can be effectively mitigated.
- Monitor network traffic and applications for any odd patterns relating to the vulnerability.
- Security is the process of reducing risk. It can never reach zero, but the risk can be mitigated, managed and audited to ensure an organization is secure.
Lessons Learned
The Log4j vulnerability made the month of December 2021 a trying and difficult one for so many IT administrators, developers and CISOs. The risk of an attack was possible due to the high critical rating, lack of knowledge and ease of running an exploit against this vulnerability. It made it a credible threat that organizations needed to patch systems to reduce the risk of an attack by anyone from a script kiddie to nation-state attackers. Hopefully, with the lessons learned from this attack, organizations have added "Zero-day vulnerabilities with 10.0 criticality" to their playbooks and actively review their process for future risk mitigations.