How Industrial Enterprises are Defending Against the Log4j Vulnerability
What is software logging, how can it be exploited, and what are leading industrial and cybersecurity experts saying about Log4j?
Log4j and Software Logging
A typical tool used in programming for debugging and troubleshooting is to keep a log of actions and events from the user and the software during runtime. This logging function is provided via a software library called Log4j.
Cybersecurity is an important aspect of industrial softwares. Image used courtesy of TheDigitalArtist
While many different libraries are available to facilitate logging, the Log4j library is found in many open source applications using the OPC UA framework. With OPC UA being a popular network protocol for industrial control, this vulnerability exposes many industrial facilities to security risks.
The Log4j library monitors and logs user inputs and software events. These logs can also execute code based on commands within the log.
The vulnerability found recently allows an attacker to log a specially crafted string, then when Log4j processes the log, the commands hidden within the string execute the code. This can be done remotely and allow full access and control to the affected application.
The applications most at risk are web-based applications requiring login credentials. The username and passwords are provided to the Log4j plugin as user inputs and stored as strings. These inputs are where the attacker inputs the malicious string into the logging software, hoping that the logging software will process the string at a later date.
Cyber attackers are usually malicious in nature. Image used courtesy of TheDigitalArtist
Resolving The Vulnerability
Many industrial commodity producers are at risk because this threat affects web-based applications with authentication. Additionally, industrial infrastructure is at risk due to the rise in popularity of Industry 4.0 and cloud-based manufacturing execution software (MES) solutions. If an attacker can gain access to these systems, they could cause severe harm or shut down the entire factory.
With this vulnerability residing within the application’s source code, there is not much that the end-user can do to resolve the issue. Fortunately, software developers have quickly developed a fix in the form of software patches. These patches are applied to the existing software and prevent the security risk from being exploited.
What are Cybersecurity Experts Saying About Log4j?
The National Institute of Standards and Technology (NIST) has a database that reports known vulnerabilities called the national vulnerability database. The database provides a detailed description of the Log4j vulnerability as well as an analysis description, solution websites, and known affected software configurations. Using this site, software technicians can develop patches.
How Microsoft is breaking down the vulnerability to its customers. Image used courtesy of Microsoft
The Cybersecurity and Infrastructure Security Agency (CISA) has joined forces with the Federal Bureau of Investigations (FBI) and other cybersecurity agencies from Canada, Australia, New Zealand, and the United Kingdom to release a joint cybersecurity advisory (CSA). The CSA provides mitigation guidance for dealing with the vulnerabilities in the Log4j software library.
What are Industry Companies Saying About Log4j?
Microsoft currently has software to detect security risks like the Log4j vulnerability called 365 Defender. This software can be configured to alert IT staff if the affected networks are running a vulnerable version of Log4j and actions to mitigate them.
Opto22, a PC-based industrial control system supplier, released a software patch and recommended its customers and end-users install it immediately.
Pilz, a safety PLC and component supplier, released a statement informing their customers that their safety hardware components do not use Java programming and do not have the affected Log4j library installed. However, some of their software products do utilize the Log4j affected version as well as the unaffected version.
Pilz has analyzed the risk and determined it is doubtful that attackers can exploit the vulnerability in its software. The company determined that it would publish a security advisory if the vulnerability could be exploited.
When working as a software engineer or technician, especially in industrial infrastructure, it is important to continually check vulnerabilities and deploy patches for your system. This vulnerability is no different.