Tenable Research Release Highlights

Forum Discussion

ibelyna's avatar
ibelyna
4 years ago

Tenable Research is providing the following supporting...

Tenable Research is providing the following supporting information about the 31 NASL detection plugins and two WAS plugin recently released in response to a critical vulnerability reported in Log4j (Log4Shell). As a reminder, it is recommended that thorough_tests are enabled for all scans using these CVE-2021-44228, CVE-2021-45046, CVE-2021-4104, and CVE-2021-45105 plugins.

NASL plugins

156183 Apache Log4j 2.x < 2.17.0 DoS

  • Version check for known vuln Log4j versions related to CVE-2021-45105 in Windows, Unix and Linux systems

156057 Apache Log4j 2.x < 2.16.0

  • Version check for known vuln Log4j versions related to CVE-2021-45046 in Windows, Unix and Linux systems

156165 Apache Log4j 2.x < 2.16.0 RCE

  • Version check for known vuln Log4j versions related to CVE-2021-45046 in MacOS systems

156164 Apache Log4Shell CVE-2021-45046 Bypass Remote Code Execution - (Direct Check HTTP) 

  • Direct Check compatible with Tenable.io Cloud Scanners and restrictive networks
  • Delivers jndi:ldap crafted payloads including Session, JSession and PHPSession into the HTTP headers and then tracks the injection via DNS when the callback is made.
  • Callback is needed given the nature of the vulnerability wherein the target / victim connects back to the host sending the original request and the host is vulnerable if the callback happens
  • This plugin uses DNS (default port 53) for network communication.

The following Apache Log4Shell CVE-2021-44228 Direct Checks share common techniques applied on different ports and protocols. They all share the following attributes:

  • Direct Checks compatible with Tenable.io Cloud Scanners and restrictive networks
  • Callback is needed given the nature of the vulnerability wherein the target / victim connects back to the host sending the original request and the host is vulnerable if the callback happens
  • These plugins DNS (default port 53) for network communication. 
  • Delivers jndi:ldap crafted header script to select ports on a scan target and then tracks the injection via DNS when the callback is made
  • CVE-2021-44228 direct check not requiring authentication

156669 Apache Log4Shell RCE detection via callback correlation (Direct Check - MSRPC)

156559 Apache Log4Shell RCE detection via callback correlation (Direct Check - RPCBIND)

156445 Apache Log4Shell RCE detection via callback correlation (Direct Check - PPTP)

156375 Apache Log4Shell RCE detection via callback correlation (Direct Check - UPnP)

156258 Apache Log4Shell RCE detection via callback correlation (Direct Check - NTP)

156257 Apache Log4Shell RCE detection via callback correlation (Direct Check - DNS)

156256 Apache Log4Shell RCE detection via callback correlation (Direct Check - SNMP)

156232 Apache Log4Shell RCE detection via callback correlation (Direct Check - SMB)

156197 Apache Log4Shell RCE detection via callback correlation (Direct Check - NetBIOS)

156166 Apache Log4Shell RCE detection via callback correlation (Direct Check - SSH)

156162 Apache Log4Shell RCE detection via callback correlation (Direct Check - Telnet)

156158 Apache Log4Shell RCE detection via callback correlation (Direct Check - IMAP)

156157 Apache Log4Shell RCE detection via callback correlation (Direct Check - POP3)

156132 Apache Log4Shell RCE detection via callback correlation (Direct Check - SMTP)

156115 Apache Log4Shell RCE detection via callback correlation (Direct Check - FTP)

156056 Apache Log4Shell RCE detection via callback correlation (Direct Check - any open port)

156035 VMware vCenter Log4Shell (Direct Check HTTP) 

  • Delivers jndi:ldap crafted payloads into the HTTP header of VMWare vCenter applications installed on the remote host on a scan target and then tracks the injection via DNS when the callback is made

 156017 Apache Log4Shell RCE detection via callback correlation (Direct Check - SIP)

156016 Apache Log4Shell RCE detection via Path Enumeration (Direct Check HTTP) 

  

156014 Apache Log4Shell RCE detection via callback correlation (Direct Check HTTP)

CVE-2021-44228 direct check not requiring authentication

  • Direct Check compatible with Tenable.io Cloud Scanners and restrictive networks
  • Injects payload into the HTTP headers and then tracks the injection via DNS when the callback is made
  • Callback is needed given the nature of the vulnerability wherein the target / victim connects back to the host sending the original request and the host is vulnerable if the callback happens
  • This plugin uses DNS (default port 53) for network communication.

155998 Apache Log4j Message Lookup Substitution RCE (Log4Shell) (Direct Check)

CVE-2021-44228 direct check not requiring authentication

  • Scanner sends jndi:ldap string to target and listens for LDAP BIND request from target
  • It is not compatible with Tenable.io cloud scanners and may fail to return results in certain networks due to firewall rules or interference from other security devices.
  • Callback is needed given the nature of the vulnerability wherein the target / victim connects back to the host sending the original request and the host is vulnerable if the callback happens
  • This plugin uses ephemeral ports 50,000-60,000 for network communication

156001 Apache Log4j JAR Detection (Windows)

Local Windows detection **recommend Thorough Tests**  

  • Checks running processes for Java instances running with Log4j in classpath and records the file paths
  • Searches the file system for .jar files with known vuln Log4j filename matches (if thorough tests is enabled)

156000 Apache Log4j Installed (Unix)

Local Linux detection

  • Checks rpm packages for vulnerable Log4j matches (RedHat, Gentoo, SuSE, etc.)
  • Search the file system paths for known vulnerable Log4j matches (if thorough tests is enabled)

155999 Apache Log4j < 2.15.0 Remote Code Execution

Local Linux Detection (uses 156000)

  • Version check for known vuln Log4j versions in Unix and Linux systems

156002 Apache Log4j < 2.15.0 Remote Code Execution

Local Windows detection (uses 156001)

  • Version check for known vuln Log4j versions in Windows systems

156032 EOL plugin for Log4j 1.x

  • Apache Log4j version < 1.x End of Life / Unsupported Version Detection

156103 Apache Log4j 1.2 JMSAppender Remote Code Execution (CVE-2021-4104)

  • The version of Apache Log4j on the remote host is 1.2. It is, therefore, affected by a remote code execution vulnerability when specifically configured to use JMSAppender.

  

WAS plugins

113075- Apache Log4j Remote Code Execution (Log4Shell)

CVE-2021-44228 direct check not requiring authentication

  • Inject payload into the HTTP headers, POST/GET values, XML, JSON, cookies, etc. and then track the injection via DNS when the callback is made
  • Callback is needed given the nature of the vulnerability wherein the target / victim connects back to the host sending the original request and the host is vulnerable if the callback happens

113076- Apache Log4j Remote Code Execution (Log4Shell)

CVE-2021-44228 WAS Log4Shell file detection plugin

  • Scan the web application directories for known vulnerable version of the Log4j installation file and flag the host if found
CVE
Tenable
Tenable Research

19 Replies

  • Anonymous's avatar
    Anonymous
    4 years ago

    These plugins return results for earlier versions of Log4j which are not vulnerable to Log4Shell. E.g. v1.2.15

    Can they be updated to be more specific to the vulnerable versions?

    • nicola_ornaghi's avatar
      nicola_ornaghi
      4 years ago

      I second this, given the scope of the issue it would make prioritisation more approachable

    • Anonymous's avatar
      Anonymous
      4 years ago

      that's not entirely accurate. There is a configuration in Log4J 1.x using JMSAppender class that does render it vulnerable. It's off by default I believe, but still should be something that is identified and then checked further.

  • Anonymous's avatar
    Anonymous
    4 years ago

    Is there a possibility to miss the vulnerability if only direct checks are used instead of authenticated scans? (Plugins - 156014, 155998  )

    • Anonymous's avatar
      Anonymous
      4 years ago

      Seems like it. For what its worth, we have only gotten results from the local checks. There is a lot that could interfere with a direct check call back succeeding.

  • jbergeron's avatar
    jbergeron
    Connect Contributor
    4 years ago

    Hi Folks,

    Has anyone heard an answer to this Q from a day or so ago?

    Is there a possibility to miss the vulnerability if only direct checks are used instead of authenticated scans? (Plugins - 156014, 155998  )

    • bmoran1's avatar
      bmoran1
      Connect Contributor
      4 years ago

      The direct checks require network access for a callback to succeed. I've had much more success with the authenticated plugins.

  • TM_SSJ4's avatar
    TM_SSJ4
    Connect Contributor III
    4 years ago

    Can we PLEASE also change the patched version being reported to 2.16 as the 2.15 has proven to be bypassed. It is causing A LOT of confusion in my Org.

  • paul_jacoby's avatar
    paul_jacoby
    Connect Contributor IV
    4 years ago

    Issue -- when a host has MULTIPLE copies of log4j.jar found in plugin 156001, plugin 156002 appears to report the "last" version detected on a host as THE vulnerable version. This can be misleading or fully wrong depending on the order of entries found in 156001 Here's an example. I'm not sure how Tenable can draw the "most current but vulnerable" data out of 156001 into 156002, but we really want to focus on the latest version installed.

    156002 - Apache Log4j < 2.15.0 Remote Code Execution (Windows) – indicates version 1.2.15 is installed and vulnerable

     Path       : C:\CDFA\thirdparty\log4j-1.2.15.jar

     Installed version : 1.2.15

     Fixed version   : 2.15.0

    156001 – Apache Log4j JAR Detection (Windows) – shows that the file system contains FOUR installations, with three different versions. The “real” vulnerability is file shown in plugin 156001, version 2.12.0 and 2.14.0.

    Nessus detected 4 installs of Apache Log4j:

     Path  : C:\Program Files\IBM\Connect Direct v6.1.0\install\agent\bin\lib\log4j-core-2.12.0.jar

     Version : 2.12.0

     Method : JAR filesystem search

     Path  : C:\CDFA\thirdparty\log4j-2.14.0.jar

     Version : 2.14.0

     Method : JAR filesystem search

     Path  : C:\CDFA\thirdparty\log4j-core-2.14.0.jar

     Version : 2.14.0

     Method : JAR filesystem search

     Path     : C:\CDFA\thirdparty\log4j-1.2.15.jar

     Version   : 1.2.15

     Method    : Running process

     Process ID  : 2072

     Process Path : C:\CDFA\jre\bin\java.exe

     Running   : 1

    • cezar1's avatar
      cezar1
      Connect Captain
      4 years ago

      Please add merge_plugin_results setting to you Nessus scanners and re-scan systems. Procedure is here: https://community.tenable.com/s/article/New-Nessus-scanner-setting-Merge-Plugin-Results

      • paul_jacoby's avatar
        paul_jacoby
        Connect Contributor IV
        4 years ago

        We are running Tenable.io with on-premise scanners. It appears this setting applies to Tenable.sc only?

  • paul_jacoby's avatar
    paul_jacoby
    Connect Contributor IV
    4 years ago

    One other issue -- it appears Tenable is determining the log4j.jar version number from the FILENAME.

    log4j-2.14.0.jar will be identified is 2.14.0

    log4j.jar will be identified as "unknown"

    I'm not sure if it's possible to get a version number out of the Jar in an efficient manner -- it's in the MANIFEST.INF in most files we've opened up, but it takes time to extract it I imagine.

    We've got thousands of "unknown" versions scattered about, how can plugins help us identify them?

  • mss-mvs-samarit's avatar
    mss-mvs-samarit
    4 years ago

    How does Tenable scan for this Log4J vulnerability?

    Specifically, does this search only for the vulnerable version or the presence of Log4J, or does it also test the Lookup switch which is a possible remediation?

  • ccoble's avatar
    ccoble
    Connect Rookie
    4 years ago

    This is so frustrating!!! As of this posting the newest plugins are not finding vulnerabilities in a known device that is vulnerable. We have deployed an appliance for testing that we can confirm is vulnerable by using the tool provided by Huntress(https://log4shell.huntress.com/). We paste the JNDI payload into the Username field on the login screen of this device; use any password and submit the form and we get a callback. Why is Nessus not able to detect this?

  • paul_jacoby's avatar
    paul_jacoby
    Connect Contributor IV
    4 years ago

    We continue to see some false positives on plugin 156002. Example output which shows the detected version as NOT log4j2.

     Path       : C:\Oracle\Middleware\EPMSystem11R1\common\loggers\Log4j\1.2.14\lib\log4j-1.2.14.jar

     Installed version : 1.2.14

     Fixed version   : 2.15.0

    These were all found on one user's machine:

     Path       : C:\Documents and Settings\user\.eclipse\org.eclipse.platform_4.4.2_1655873425_win32_win32_x86_64\configuration\org.eclipse.osgi\878\0\.cp\lib\log4j-1.2.15.jar

     Installed version : 1.2.15

     Fixed version   : 2.15.0

     Path       : C:\Documents and Settings\user\.eclipse\org.eclipse.platform_4.4.2_1655873425_win32_win32_x86_64\configuration\org.eclipse.osgi\246\0\.cp\lib\log4j-1.2.15.jar

     Installed version : 1.2.15

     Fixed version   : 2.15.0

     Path       : C:\Documents and Settings\user\.eclipse\org.eclipse.platform_4.4.2_1655873425_win32_win32_x86_64\configuration\org.eclipse.osgi\285\0\.cp\lib\log4j-1.2.15.jar

     Installed version : 1.2.15

     Fixed version   : 2.15.0

     Path       : C:\Program Files\IBM\SDPShared\plugins\com.hp.hpl.jena.rdf_2.6.3.v20171117_2207\log4j-1.2.14.jar

     Installed version : 1.2.14

     Fixed version   : 2.15.0

     Path       : C:\Program Files\IBM\SDPShared\plugins\com.ibm.nex.3rdparty.apache_2.2.0.v20100417_1714\lib\log4j-1.2.14.jar

     Installed version : 1.2.14

     Fixed version   : 2.15.0

     Path       : C:\Program Files\IBM\SDP\configuration\org.eclipse.osgi\249\0\.cp\lib\log4j-1.2.13.jar

     Installed version : 1.2.13

     Fixed version   : 2.15.0

     Path       : C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib\external\axis2\1.6.2\log4j-1.2.15.jar

     Installed version : 1.2.15

     Fixed version   : 2.15.0

     Path       : C:\Users\user\.eclipse\org.eclipse.platform_4.4.2_1655873425_win32_win32_x86_64\configuration\org.eclipse.osgi\246\0\.cp\lib\log4j-1.2.15.jar

     Installed version : 1.2.15

     Fixed version   : 2.15.0

     Path       : C:\Users\user\.eclipse\org.eclipse.platform_4.4.2_1655873425_win32_win32_x86_64\configuration\org.eclipse.osgi\285\0\.cp\lib\log4j-1.2.15.jar

     Installed version : 1.2.15

     Fixed version   : 2.15.0

     Path       : C:\Users\user\.eclipse\org.eclipse.platform_4.4.2_1655873425_win32_win32_x86_64\configuration\org.eclipse.osgi\878\0\.cp\lib\log4j-1.2.15.jar

     Installed version : 1.2.15

     Fixed version   : 2.15.0