(Updated 21-DEC) Security Advisory - Apache Log4j CVE-2021-44228, CVE-2021-45046, CVE-2021-45105
Microsoft is investigating the remote code execution vulnerability related to Apache Log4j (a logging tool used by many Java-based applications) disclosed on 9 Dec 2021. Mitre has designated this vulnerability as CVE-2021-44228 with a severity rating of 10.0. This was followed by vulnerabilities disclosed on Dec 14 th 2021 (CVE-2021-45046) potentially affecting non-standard configurations and Dec 16 th 2021 (CVE-2021-45105). For the latest status of Microsoft’s investigation, please see Microsoft’s Response to CVE-2021-4428 Apache Log4j 2. This advisory will continue to be updated as new information becomes available. (Last Updated 21-DEC-2021) The advisory was updated to reflect that version 10.5.5 has been released with the latest Apache Log4j 2.17.0 and validated to mitigate CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105. We strongly recommend our customers implement the following mitigation steps based on an internal analysis of possible attack vectors. Mitigation Guidance for Microsoft Defender for IoT For Defender for IoT security appliances (OT network sensors and on-premises management console): Deploy the latest software release As of version 10.5.4, all components that were affected by CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 have been upgraded and secured. Customers are strongly encouraged to apply this update as soon as possible. Manual Workaround The workarounds described below will mitigate CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105, and can be used until upgrading to version 10.5.4 or above. > OT Network Sensor Using SSH, login as an administrator with full privileges. Execute the following: echo "find /var/cyberx/components/ -name \"start.sh\" -exec grep -L Dlog4j2.formatMsgNoLookups=true {} \; | xargs -I '{}' sed -i '/java_args.append(\"-Dlog4j.configurationFile=.*)/a java_args.append(\"-Dlog4j2.formatMsgNoLookups=true\")' {} && sed -i 's/args = \[\x27java\x27, \x27-Dlog4j\.configurationFile=\/var\/cyberx\/properties\/log4j2-active-tool\.xml\x27, \x27-jar\x27,/args = \[\x27java\x27, \x27-Dlog4j\.configurationFile=\/var\/cyberx\/properties\/log4j2-active-tool\.xml\x27, \x27-Dlog4j2\.formatMsgNoLookups=true\x27, \x27-jar\x27,/' /usr/local/bin/cyberx-xsense-cip-query-controllers && monit restart all" | sudo at now + 1 minutes > On Premises Management Console Using SSH, login as an administrator with full privileges. Execute the following: echo "find /var/cyberx/components/ -name \"start.sh\" -exec grep -L Dlog4j2.formatMsgNoLookups=true {} \; | xargs -I '{}' sed -i '/java_args.append(\"-Dlog4j.configurationFile=.*)/a java_args.append(\"-Dlog4j2.formatMsgNoLookups=true\")' {} && monit restart all" | sudo at now + 1 minutes If you need further assistance Please open a support ticket to contact our support team. The Defender for IoT cloud service does not use log4j and is not vulnerable to any active attack vector caused by CVE-2021-44228 and CVE-2021-45046. Latest Threat Intelligence Update for Monitoring CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 Microsoft has released a dedicated Threat Intelligence update package for detecting Log4j exploit attempts on the network (example below). The package is available for download from the Microsoft Defender for IoT portal (Click Updates, then Download file). MD5 Hash - 512081a7ce19e436c9ff7ed672024354 Update your system with the latest TI package: Microsoft Defender for IoT now pushes new threat intelligence packages to cloud-connected sensors upon release, click here for more information. Starting with sensor version 10.3, users can automatically receive up-to-date threat intelligence packages through Microsoft Defender for IoT. Working with automatic updates reduces operational effort and ensures greater security. Enable automatic updating on the Defender for IoT portal by onboarding your cloud-connected sensor with the toggle for Automatic Threat Intelligence Updates turned on. Additionally, the package can be downloaded from the Microsoft Defender for IoT portal, under Updates: To update a package on a single sensor: Go to the Microsoft Defender for IoT Updates page. Download and save the Threat Intelligence package. Sign into the sensor console. On the side menu, select System Settings. Select Threat Intelligence Data, and then select Update. Upload the new package. To update a package on multiple sensors simultaneously: Go to the Microsoft Defender for IoT Updates page. Download and save the Threat Intelligence package. Sign into the management console. On the side menu, select System Settings. In the Sensor Engine Configuration section, select the sensors that should receive the updated packages. In the Select Threat Intelligence Data section, select the plus sign (+). Upload the package. For more information, please review Update threat intelligence data | Microsoft Docs For further information Follow the MSRC blog for more information, which is updated with information and protection details as they become available. For a more in-depth analysis of the vulnerability, exploitation, detections, and mitigations, consult the RiskIQ (acquired by Microsoft in August 2021) analysis. Microsoft’s Response to CVE-2021-44228 Apache Log4j 2 – Microsoft Security Response Center Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation - Microsoft Security Blog Log4j – Apache Log4j Security Vulnerabilities CVE - CVE-2021-44228 (mitre.org)
Cellular connectivity + Azure Sphere: security boundaries
You can introduce cellular connectivity by pairing the Azure Sphere device with a cellular-capable router device. It’s extremely important to be aware that there is a security boundary between the Azure Sphere elements and the cellular connectivity elements.
Azure Security Center for IoT Webinar
Interested in learning about Azure Security Center for IoT? Check out our upcoming webinar. Details and registration at https://aka.ms/ASCIoTWebinar. Azure Security Center for IoT is a new solution that allows organizations to easily protect their IoT deployments with threat protection driven by Microsoft’s unique threat intelligence. You can find more information about it at https://docs.microsoft.com/en-us/azure/asc-for-iot/overview. The webinar will take place on Monday, August 5, 2019 at 08:00 PT / 11:00 ET / 15:00 GMT. Afterward, the recording will be posted to https://aka.ms/ASCIoTRecordings. We hope you’ll join us!
Azure Sphere 20.09 security updates
Another Azure Sphere release has occurred and to accommodate the release I am presenting another security blog post. We are committed to keep our system secure against evolving security threats which takes both internal and external effort, the most recent external effort being the Azure Sphere Security Research Challenge that has wrapped up. Let's get to the list of changes and fixes done on the system without wasting any further time.
