Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

A Holiday Story, Internet Edition: The Impact Of Assessing And Addressing Log4j Installations Proactively

A look at our log4j data.


On December 10th, a critical, once in a generation security flaw was discovered in log4j. With a deep heritage in understanding and assessing vulnerabilities, Tenable began our efforts right away to create many different ways to audit for this flaw, knowing it was and remains a race against the clock before many of these methods are discovered and exploited by bad actors. The resulting static and dynamic checks that Tenable created assess for vulnerability via well documented vectors as well as some more arcane ones that you may not have heard of – with even more to come. For instance, while most of the public discussion has been about exploiting log4j via the HTTP(s) protocol (either through headers or by sending malformed input), we started to implement many more protocols. Here are some of our initial findings in terms of prevalence (this is still in flux with more protocols coming):

Source Tenable Research
Source: Tenable Research
Charts do not include axes so as to protect customer data

“Raw”, above, basically means connect to any open port, send the ${jdni://} payload and watch what happens. And, yes, believe it or not, we did find a handful of pop3 and imap servers that somehow send their logs to vulnerable log4j-enabled servers. What this graph shows is that the surface area for potential exploitation of Log4j goes well beyond web protocols and it’s critical that customers assess the widest range of TCP/IP-based protocols possible.

One novel and effective detection method we use to dynamically discover vulnerable hosts consists of making the vulnerable ones perform a DNS resolution against a Tenable-operated DNS server (that process is fully documented here), effectively reporting back that asset is at-risk. This is a very reliable method which anonymizes the source of the data. It was designed in such a way that Tenable would not hold a “master list” of vulnerable log4j installations while still enabling customers to leverage this highly effective method to determine vulnerable systems.

We received hundreds of thousands of queries per second, and that volume remains steady as of this writing. These queries are made regardless of whether the remote servers are vulnerable or not (they are made by the scanners as part of the probe). That volume is expected – we have thousands of customers regularly scanning their environments.

Servers which are vulnerable to log4j do a different DNS query. Among other things, we can use this data as a proxy to estimate the overall volume of vulnerable servers over time:
 

Source Tenable Research
Source: Tenable Research
Charts do not include axes so as to protect customer data

As can be seen on this graph, the number of vulnerable servers increased steadily as our customers rushed to detect them, and then decreased as more and more systems were patched. It’s worth noting that scanning activity did not substantially decrease during the same period:

Source Tenable Research
Source: Tenable Research
Charts do not include axes so as to protect customer data

Three quarters of the servers we detected with our dynamic check have been fixed right in time for our customers to go home on 12/24 and spend the long weekend with their families - a huge win for already tired security teams. That being said, this is a critical vulnerability and we’ve been behind our customers the entire way to help them detect and remediate this flaw as fast as possible. 

Over the next few weeks and months, security researchers and attackers will continue to discover new attack vectors for log4j. There is still a lot to be done and this problem is by no means fixed. Those who were early to audit this problem and remediate it got to spend the end of the year with their families and not doing incident response or reinstalling their environment. More importantly, their proactive approach and processes will help them stay on top of log4j as it continues to evolve.

In the meantime, let’s celebrate how quickly many in our industry are reacting to this flaw and keeping the infrastructure safe.

Learn more:

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.

Tenable.ad

Continuously detect and respond to Active Directory attacks. No agents. No privileges. On-prem and in the cloud.