The remote code execution vulnerability of Apache Log4j2 has been erupted for a week. Security vendors have provided various defense solutions and detection tools, and Party A’s team responded overnight.
The influence continues to this day, and the various use and bypass postures circulating on the Internet are still emerging in an endless stream, and the influence continues to expand. All security people began to reflect on a question: Is the current defense effective? What is an effective means for this kind of 0day to happen again?
The Alibaba Cloud security team participated in many customer emergencies this time, summed up experience from the cloud platform's own defense, and tried to throw out some opinions for discussion.
First of all, let's analyze from the technical level why Log4j2 is so difficult this time.
The characteristics of Apache Log4j2 vulnerabilities
This Log4j2 vulnerability has two very difficult characteristics:
Arbitrary remote code execution can be achieved
The loopholes of “knowing the rules”, the dangerous ones, the high barriers to use, and the low use thresholds, the less harmful, which are still in line with the laws of nature. This loophole does not play cards according to the routine, not only has a wide range of effects, has a low threshold for exploitation, and is also extremely harmful. The three factors overlap, and they have been given the title of "epic" everywhere.
The application of Java is extremely wide and the ecology is huge, and Log4j is used by almost all applications as the basic component of log processing.
Through JNDI injection, arbitrary remote code execution can be achieved, which means that an attacker can do whatever they want on a vulnerable server.
Even if JNDI outreach cannot succeed in the internal network environment, the attacker can also combine the lookup feature to read a lot of sensitive information (such as database passwords, JAVA environment variables, etc.), and then bring the sensitive information out of the internal network through the DNS protocol.
Concealed traffic characteristics
In some scenarios, there are almost no strong features that can be distinguished from normal requests.
The PoC structure of this vulnerability is very simple, and the points of vulnerability triggering are wide and flexible. With the nested bypass of various variables and protocols, the traffic characteristics are very complicated and concealed. The lookup function of Log4j2 supports some special writing methods to perform secondary processing on characters, such as ${lower:j}Ndi, ${upper:JN}di, ${aaa:vv:cc:-j}ndi, etc. It can break the continuity of the string, resulting in extremely inconspicuous flow characteristics during utilization.
This is a huge challenge for all security protection products based on traffic characteristics.
When the traffic characteristics are not obvious enough, the rules based on the traffic characteristics fall into embarrassment: either they cannot be covered, or serious false alarms are generated. You can only continue to supplement the rules, and iteratively circulate in bypassing and being bypassed. This defensive method can effectively buy time for bug fixes at the beginning of the 0day outbreak. However, with the increasing changes in various utilization methods, it is difficult to guarantee that it will not be bypassed or falsely reported.
And some "weak features" Log4j2 vulnerability of even similar "feature 0" With the way the scene, also encrypted traffic, memory and horses , these measures have to shine in a large offensive and defensive drills, the principle is difficult to detect akin.
So, is there a technology that can ignore the various changes or concealment of the traffic characteristics of the vulnerability exploitation technique, and the defense is more natural, even without relying on rule updates to prevent such 0days?
RASP returned to vision in this incident
RASP (Runtime Application Self-Protection), run-time application self-protection, the security industry is not unfamiliar with it, but it is not widely adopted because of the traditional impression.
The advantage of this type of technology lies in the analogy of the epidemic. Traditional border defense products are similar to masks/protective clothing, while RASP is similar to vaccines. It will inject itself into the application, run with the application, and detect the application in real time through the hook key function. High-risk behavior performed.
What kind of 0day natural enemy is RASP
Unlike detection based on traffic characteristics, RASP focuses on application behavior, not traffic itself.
When RASP finds an application and does something that it shouldn’t do normally, it means that the current application has been compromised by an attacker by exploiting vulnerabilities and performing some high-risk operations (such as command execution, file reading, file upload, SSRF, etc.) ).
is: Any behavior that is defended by RASP is already an attack that can be successfully exploited.
The type of application behavior, compared to the infinite and nearly infinite flow characteristics, is often can exhaust . From the application of abnormal behavior point of view to detect, it can range dramatically converge to a limited type, which is RASP can ignore traffic characteristics and does not rely rule updates are protected against almost all 0day (including encrypted traffic and memory MA) root cause.
The reasons why 0day and some weak feature vulnerabilities are difficult to defend are mentioned above. But no matter how the traffic characteristics change, the essence of vulnerability exploitation: still has to return to let the application do some unsafe actions-that is, application behavior or attempt.
From the perspective of this vulnerability, RASP does not pay attention to whether the traffic in the request contains a malicious payload, but instead pays attention to what Log4j2 does with the JNDI function. If you perform a normal JNDI query, there is no problem; but if you attempt to use the JNDI function for command execution, it is an obvious dangerous behavior.
It is at this stage that RASP played an extremely important role: before the application made mistakes, it "reined the precipice".
From this perspective, the can be derived: extremely low false alarms.
For example, if the application does not use Log4j2 at all, reporting an attack based on malicious features in the payload means false positives, which consumes the energy of security personnel to a certain extent.
Since RASP runs inside the application, it can be clearly known whether the payload from the traffic layer has successfully entered the dangerous function of Log4j2, so there will be no "invalid warning".
In recent years, from weblogic to shiro, dubbo to today's Log4j2, there has been a continuous large-scale outbreak of 0day caused by third-party components.
Because the code of this type of component is not maintained by the developers of the applications that use it, once a vulnerability breaks out, security personnel first need to invest a lot of effort to check which applications are using vulnerable components. This is not an easy task. . Especially for companies with many applications and rapid iterations, it is very normal for them to not know which applications, which components are being used, and which versions.
This leads to the : self-examination of third-party components.
When a 0day occurs, can troubleshoot a first time to the affected path assembly , as shown below:
(Log4j component path located through Alibaba Cloud RASP)
For components that have exposed CVE vulnerabilities in history, RASP can automatically detect and associate the corresponding CVE vulnerability number, vulnerability level and other information to facilitate security and developers to repair in time.
Cloud-native RASP, accelerated implementation of architectural advantages
In 2014, Gartner listed RASP as a key trend in application security, but in fact, the large-scale implementation of RASP in the production environment has been relatively slow, and only a few leading Internet companies have done so. The reason is that the biggest obstacle lies in the intrusion of RASP technology to the application itself. Developers will be very worried about performance, stability, and compatibility degradation.
Alibaba Group began to deploy self-developed RASP products in 2015. For many years of practice, it has completed large-scale deployment on the production network, and has experienced the production network's ultra-large traffic business . Protection) to achieve the best performance in control. It has to be said that it does take a lot of time to accumulate experience and lessons, and continuously tune it. This is also the biggest difficulty for Party A's security team to build RASP by itself.
The Alibaba Cloud security team tried to output RASP best practices. Last year, it launched a more general and more suitable version of RASP for user scenarios, and deployed and applied it in the production network of multiple financial and educational users. This year, the advantages of cloud architecture have been opened up and one-click access to RASP (open path: Alibaba Cloud ARMS-application security menu) greatly reduces the threshold for cloud users to use RASP defense capabilities.
Among users accessing RASP in recent events, the Alibaba Cloud security team has observed very fierce Log4j2 exploits and dangerous behaviors. Taking a financial user as an example, within 2 days of access, RASP detected and intercepted 184 real attacks involving 8 Java applications, including 43 command executions and 141 DNS vulnerability detections. Without the defensive link of RASP, these are attacks that are highly likely to be successfully executed.
The current version is free for public testing, and emergency security comrades can access RASP and upgrade calmly. If the application to be protected is not currently on the cloud, you can also contact us to deploy the offline version of RASP.
PS: Due to the vulnerability management regulations, the details of the vulnerabilities in the pictures in the text have been blurred by mosaic, please understand
Click *here * to learn more about ARMS!
Students who are interested in ARMS can search the group number (34833427) or scan the QR code below to enter the group for communication and answer questions~
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。