LOG4SHELL - CVE-2021-44228: Apache Zero-Day

LOG4SHell / Log4j2 -

              Zero-day exploit in the popular Java logging library log4j2 was discovered that results in Remote Code Execution (RCE) by logging a certain string. 

Log4j2 is an open-source, Java-based logging framework commonly incorporated into Apache web servers and Spring-Boot web applications. 

The vulnerability has been reported with CVE-2021-44228 against the log4j-core jar. CVE-2021-44228 is considered a critical flaw, and it has a base CVSS score of 10, the highest possible severity rating.

Who is Impacted:

Too many services are vulnerable to this exploit as log4j is a wild rang used Java-based logging utility. Cloud services like Steam, Apple iCloud, and applications like Minecraft have already been found to be vulnerable.

 Anybody using Apache frameworks services or any SpringBoot Java-based framework applications uses log4j2 is likely to be vulnerable.

Affected Apache log4j2 Versions

How to SPOT VULNERABLE APPLICATIONS

Ask admin/system team to run a search/grep command on all servers to spot any file with name "log4j2", Then check if it is a vulnerable version or not"

PERMANENT MITIGATION:

Version 2.15.0 of log4j has been released without the vulnerability. log4j-core.jar is available on Apache Log4j page below, You can download it and updated on you system "

Ref Link: https://logging.apache.org/log4j/2.x/download.html

TEMPORARY MITIGATION:

Add "log4j.format.msg.nolookups=true" to the global configuration of your server/web applications"

Open Source Static Code Analysis tools - Horusec

Open source tool that performs static code analysis to identify security flaws during the development - Horusec. 

Currently, the languages for analysis are: C#, Java, Kotlin, Python, Ruby, Golang, Terraform, Javascript, Typescript, Kubernetes, PHP, C, HTML, JSON, Dart. The tool has options to search for key leaks and security flaws in all files of your project, as well as in Git history. Horusec can be used by the developer through the CLI and by the DevSecOps team on CI /CD mats.

In order to achieve our goals, we separated in some delivery phases:

• Phase 0: Support for all horusec-cli features into horusec-vscode (Q1)
• Phase 1: Support for the Theia(VsCode Web) (Q1)
• Phase 2: Support to Flutter, Dart, Bash, Shell, Elixir, Cloujure e Scala in analysis (Q1)
• Phase 3: New service to manager vulnerabilities founds (Q2)
• Phase 4: Dependency analysis for all supported languages (Q3)
• Phase 5: SAST with MVP Semantic Analysis (Q4)
• Phase 6: DAST with MVP symbolic analysis (Q4)

Horusec Demo:

Download and Installation Ref :

https://github.com/ZupIT/horusec/tree/master/horusec-cli#installing

Retrieves Passwords From Pixelized - Depix Tool

 Depix:

              is a tool for recovering passwords from pixelized screenshots.

This implementation works on pixelized images that were created with a linear box filter.

\

For all those who thought saving passwords as pictures, rather distorted pictures is a great idea – things have changed. A new hacking tool ‘Depix’ is now online that retrieves passwords from pixelized images, such as screenshots. Depix Tool Deciphering Pixelized Screenshots A researcher Sipke Mellema, with the alias ‘beurtschipper’ on GitHub, has developed an interesting tool that can decipher pixelized images. Dubbed ‘Depix’, the tool even retrieves passwords from pixelized screenshots, hence debunking the idea of sharing information simply by pixelizating sensitive details like passwords for safety. Although, reading texts from pixelized images is difficult. That’s why, according to the researcher, many businesses also store passwords in sensitive documents after pixelization.

Ref Link : https://github.com/beurtschipper/Depix

Open Sources Tool - Stringlifier & Tripod

 Stringlifier:

                             a python based tool/module help to analyzing security and application logs, or when attempting to discover credentials that might have been accidentally exposed. 

Typical usage scenarios include:

• Sanitizing application or security logs
• Detecting accidentally exposed credentials (complex passwords or api keys)

It detects code/text that resembles a randomly generated string in any plain text. It uses machine learning to distinguish between normal and random character sequences. It can also be adapted for more fine-grained classifications (password, API key, hash, etc.). 

“1e32jnd9312”, “32189321-DEF3123-9898312”, “ADEFi382819312.” Do these strings seem familiar? They could be hashes, random generated passwords, API keys, or many other types of strings. You can usually spot them in logs, command lines, configuration files, and source code. Whether you are analyzing security and application logs or you are hunting for accidentally exposed credentials, they can, unfortunately, make your life a lot harder. This is because building a search pattern for something random is a particularly hard task.

Download Link : 

https://github.com/adobe/stringlifier

Tripod:

 is a tool/ML model for computing latent representations for large sequences. It has been used on source code and text and it has applications such as:

• Malicious code detection
• Sentiment analysis
• Information/code indexing and retrieval
• Anomaly Detection/ Unsupervised Learning

Download Link : https://github.com/adobe/tripod

Open Source Microservices Tool - Istio

Istio 

        is an open platform that provides a uniform way to connect, manage, and secure microservices.

Istio provides the underlying secure communication channel, and manages authentication, authorization, and encryption of service communication at scale. With Istio, service communications are secured by default, letting you enforce policies consistently across diverse protocols and runtimes – all with little or no application changes.

Istio lets you connect, secure, control, and observe services.

While Istio is platform independent, using it with Kubernetes (or infrastructure) network policies, the benefits are even greater, including the ability to secure pod-to-pod or service-to-service communication at the network and application layers.

Ref Link : 

https://opensource.google/projects/istio

Download Link :

https://istio.io/docs/setup/getting-started/#download

Docker / Containers- Security Analysis and Vulnerability Assessment Tools

DockerScan: 

            A Docker analysis tools to detect vulnerabilities in Docker images and Docker registries.

Very quick install

> python3.5 -m pip install -U pip
> python3.5 -m pip install dockerscan

Show options:

> dockerscan -h

Docker Demo

Available actions

Currently Docker Scan support these actions:

• Scan: Scan a network trying to locate Docker Registries.
• 
  
• Registry
  • Delete: Delete remote image / tag
  • Info: Show info from remote registry
  • Push: Push an image (like Docker client)
  • Upload: Upload a random file
    
    
• Image
  • Analyze: Looking for sensitive information in a Docker image.
    • Looking for passwords in environment vars.
    • Try to find any URL / IP in the environment vars.
    • Try to deduce the user used internally to run the software. This is not trivial. If the entry point is a .sh file. Read the file and try to find call to sudo-like: “sudo”, “gosu”, “sh -u”… And report the user found.
      
      
    • Extract: extract a docker image
      
      
    • Info: Get a image meta information
      
      
  • Modify:
  • entrypoint: change the entrypoint in a docker
  • trojanize: inject a reverser shell into a docker image
  • user: change running user in a docker image

Download Link : https://github.com/cr0hn/dockerscan

DevSecOps Static Code Analysis Tool - Checkov

Checkov:

              It help to scans cloud infrastructure provisioned using Terraform, Cloudformation or kubernetes and detects security and compliance misconfigurations.

Simple and open-source

Checkov is written in Python and provides a simple method to write and manage codified, version-controlled policies.

Features

• 100+ built-in policies cover security and compliance best practices for AWS, Azure & Google Cloud.
• Scans Terraform and AWS CloudFormation configurations.
• Scans for AWS credentials in EC2 Userdata, Lambda environment variables and Terrafrom providers
• Policies support evaluation of variables to their optional default value.
• Supports in-line suppression of accepted risks or false-positives to reduce recurring scan failures. Also supports global skip from using CLI.
• Output currently available as CLI, JSON or JUnit XML.

                                         Image Source : https://www.checkov.io/

Download Link : https://github.com/bridgecrewio/checkov/

Documentation : https://www.checkov.io/documentation