What is Log4J and How it is affecting the control systems especially PLCs and DCS?

What is Log4J?

Apache Log4J is a logging utility based on Java written by Ceki Gülcü. It is part of Apache Logging Services. Log4J is one of the several logging frameworks of Java.

image

What is Log4Shell Vulnerability?

Log4Shell is a software vulnerability in Apache Log4J 2, a popular Java library for logging error messages from applications. The vulnerability, published as CVE2021-44228, could allow a remote attacker to take control of a device from the Internet if the device is running a specific version of Log4J 2.

Apache released a patch for CVE2021-44228 version 2.15 on December 6th, 2021. However, this patch left some of the vulnerabilities unpatched, with CVE202145046 and a second patch, version 2.16, released on December 13th, 2021. On December 17th, Apache unveil a third patch version called 2.17 to fix the vulnerability called CVE2021-45105.

A hacker or attacker can take over the control of the entire system by using a text message vulnerability. The Apache software foundation rated Log4J vulnerability a 10 out of 10 on the CVSS scale and this is the highest severity score due to its world popularity and attackers can exploit these bugs easily. As mitigation measures evolve and damage continues to unfold, the basics of Log4Shell’s vulnerabilities remain unchanged.

Also read: What are the major Cyber-attacks on various Programmable Logic Controllers Manufacturers?

What devices and applications are in danger?

Any device running Apache Log4J 2.0 through 2.14.1. The affected version, Log4J version 2 (Log4J2), is included in the Apache Struts2, Solr, Druid, Flink, and Swift frameworks, according to the NCSC (National Cyber Security Centre).

Mirai, a botnet that targets all types of internet-connected (IoT) devices, has found a way to exploit the issue. Cisco and VMware have both published updates for their vulnerable products.

Log4J affected VMware versions and the list of products

Vmware is an American-based cloud computing company. Log4J vulnerabilities affected various Vmware products and versions.

Impacted Products (Under Evaluation)

• VMware Horizon

• VMware vCenter Server

• VMware HCX

• VMware NSX-T Data Center

• VMware Unified Access Gateway

• VMware WorkspaceOne Access

Click here to know the complete list

Products NOT affected by Log4J

• VMware vSphere ESXi

• VMware Cloud Director (VCD)

• VMware Cloud Director Availability

• VMware NSX Advanced Load Balancer (Avi)

• VMware Workspace ONE Assist

Click here to know the full list

Log4J affected Cisco products and the list of products

Cisco is an American-based company that develops manufactures and sells various networking hardware, software, telecommunications equipment, and other high-technology services and products.

Affected Products

• Cisco Webex Meetings Server

• Cisco CX Cloud Agent Software

• Cisco Identity Services Engine (ISE)

• Cisco Common Services Platform Collector (CSPC)

• Cisco IOx Fog Director

Here is the complete affected products list

Who is affected by this?

Almost every software in the market has some logging utility for various purposes such as development, operational purposes, and security purposes.

For individuals, Log4J is part of the devices and services you use online in your daily life. Make sure the devices and software you are using are up-to-date as possible and turn ON automatic updates, this helps the system update automatically whenever new updates are released.

For enterprises, It is difficult find the enterprises to find out what are applications and software are based on the Log4J. This emphasizes the need of every business to pay attention to your software vendors and take the appropriate precautions.

How is Log4J affecting various PLCs and DCS?

How Log4J is affecting Honeywell System?

Honeywell is one of the leading control system manufacturers on the globe. As we discussed, an attacker can take over the control of the control system remotely via using a text message. The consequence once the hackers take over the control of the system would be terrible.

However, according to the Honeywell press release, they are still evaluating whether their products and services are under threat or not.

How Log4J is affecting Schneider System?

The Log4J vulnerability discovered in Schneider Electric’s make security issues in millions of devices worldwide could allow a remote attacker to gain complete and undetectable control of the chip, allowing remote code execution, malware installation, and other security measures. can. compromise.

According to Armis, Leverages undocumented commands that allow an attacker to leak hashes from device memory and exploit Schneider’s various application service protocols used to configure and monitor Schneider’s various PLCs, DCS, and more.

How Log4J is affecting Yokogawa System?

Yokogawa is a Japanese electrical as well software manufacturer. According to the press release from Yokogawa, the potential impact on Yokogawa products is

• CENTUM VP: Not Affected

• ProSafe-RS/ProSafe-RS Lite: Not affected

• Exaopc: Not affected

• Exaquantum: Not affected

• Exaplog: Not affected

• STARDOM: Not affected

• FAST/TOOLS: Not affected

• CI Server: Not affected

• PRM: Not affected

• VTSPortal: Not affected

However, Yokogawa requested their users to do the following things

• update their system, patch updates if any

• Install Anti-Virus

• Backup the system periodically

How Log4J is affecting Emerson System?

According to Emerson electric, they released names of the devices that are not affected by the Log4J vulnerability. Emerson’s affected products are yet to be disclosed, they only published products not affected by Log4J vulnerability.

Products NOT affected by Log4J

• Emerson Plantweb Insight

• Rosemount IO-Link Assistant

• MPFM2600 & MPFM5726

• DHNC1, DHNC2

• WCM, SWGM

• Fieldwatch and Service consoles

Click here to know more details

Emerson suggests the following security practices: safeguarding and segregating networks, keeping software and firmware up to date, and adhering to other hardening recommendations.

How Log4J is affecting ABB System?

ABB is well aware of the Log4Shell CVE-2021-44228 and CVE2021-45046 Apache Log4J v2.x vulnerabilities. If the vulnerability is exploited, an attacker may launch a remote code execution attack to gain control of an affected machine, according to ABB. They have completed the product inspection and have displayed the details of both affected and non-affected products on their website.

Affected Products

• Axis

• nMarket Global

• UNEM

• FOXMAN-UN

To view the results, please click here.

How to safeguard the system from Log4J?

The methods to protect from Log4J vulnerabilities are

• Patching and Updates

• Create Log4J-specific rules in the Web Application Firewall.

• Threat Hunting and Alerts

Patching and Updates

Update Log4J to vesrion 2.15.0. Make ensure that you install all the updates and other security patches from the vendors and manufacturers.

Create Log4J-specific rules in the Web Application Firewall.

At the time, installing a Web Application Firewall is the greatest method of defence against Log4j (WAF). If your business already has a WAF in place, it is best to apply Log4j-specific rules.

You can protect your applications from Log4j by identifying and blocking harmful character strings on upstream devices such as a WAF.

Threat Hunting and Alerts

The National Cyber Security Center (NCSC) recommends setting up alerts for detections or attacks on devices running Log4j.

Have your organization’s security team continue to scan for anomalies on a regular basis and take action on any alerts Log4j generates.