Saifuddinit 1 Posted January 1, 2022 Share Posted January 1, 2022 We Are facing issue on new Security Vulnerability can you please check, its already showing in one our client machine and it is blocked but can you confirm it is secure or it secure from eset and we are waiting your reply Link to comment Share on other sites More sharing options...
itman 1,748 Posted January 1, 2022 Share Posted January 1, 2022 (edited) FYI: https://nvd.nist.gov/vuln/detail/CVE-2021-44228 You need to apply the latest Apache server patch update as noted here: https://www.bleepingcomputer.com/news/security/log4j-2171-out-now-fixes-new-remote-code-execution-bug/ It appears that an external source is trying to exploit this vulnerability via a Chrome connection from the client device. Edited January 1, 2022 by itman Link to comment Share on other sites More sharing options...
Saifuddinit 1 Posted January 1, 2022 Author Share Posted January 1, 2022 Hi Imran But here we are not using any apache server this just from Chrome its blocked from Eset so there any have to from my end in client laptop or no need Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted January 1, 2022 Administrators Share Posted January 1, 2022 Also note that the attacks will continue even after patching vulnerabilities, you can't prevent that without filtering the communication on a firewall before the server. However, even if you didn't install the appropriate security update, ESET has blocked the communication so you would be safe. Of course, that doesn't mean you could hesitate with installation of security updates, not at all. Anyways, it would be of interest to see details of the attack, ie the source and target IP addresses and ports. Link to comment Share on other sites More sharing options...
Saifuddinit 1 Posted January 1, 2022 Author Share Posted January 1, 2022 Thank admin for update so now what we can do now to prevent this type of attack and right now we need to anything in client laptop like windows update Eset update l Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted January 1, 2022 Administrators Share Posted January 1, 2022 2 minutes ago, Saifuddinit said: Thank admin for update so now what we can do now to prevent this type of attack and right now we need to anything in client laptop like windows update Eset update l If you don't have Apache installed, it was most likely a non-targeted attack when the attacker was just trying to attack the machine in the hope that Apache might be installed. Link to comment Share on other sites More sharing options...
itman 1,748 Posted January 1, 2022 Share Posted January 1, 2022 12 minutes ago, Saifuddinit said: Hi Imran But here we are not using any apache server It is not just Apache server that is vulnerable. Here is a comprehensive list of software affected: https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md Link to comment Share on other sites More sharing options...
Saifuddinit 1 Posted January 1, 2022 Author Share Posted January 1, 2022 (edited) Imran I got you mean to say below link whatever software is there need to update security patch right ?? Edited January 1, 2022 by Saifuddinit Link to comment Share on other sites More sharing options...
Saifuddinit 1 Posted January 1, 2022 Author Share Posted January 1, 2022 Hi Imran Sorry I got you mean below link show like which software affected Link to comment Share on other sites More sharing options...
itman 1,748 Posted January 1, 2022 Share Posted January 1, 2022 11 minutes ago, Saifuddinit said: Imran I got you mean to say below link whatever software is there need to update security patch right ?? Not sure I understand you fully. If a software vendor product is affected; the vendor has patch for this vulnerability;, and you have this affected software installed somewhere in your installation; then the patch should be installed ASAP. Link to comment Share on other sites More sharing options...
Saifuddinit 1 Posted January 1, 2022 Author Share Posted January 1, 2022 Hi ItMan I got the what you say but I saw the user laptop its didn't find any software which is infected i can see eset log its show action blocked Link to comment Share on other sites More sharing options...
itman 1,748 Posted January 1, 2022 Share Posted January 1, 2022 (edited) 1 hour ago, Saifuddinit said: Hi ItMan I got the what you say but I saw the user laptop its didn't find any software which is infected i can see eset log its show action blocked My current situation understanding of this Java based vulnerability is it is the most active exploit attempt. Assume that the user of the device where Eset detected the vulnerability via Chrome landed on a malicious or infected web site that attempted to exploit this vulnerability. This could have been done via numerous methods. It appears to me that the attacker found some software installed on your network installation that is vulnerable and tried to exploit it. Luckily, Eset detected the exploit attempt and blocked it. Note that there are currently multiple exploits detected in regards to this Java vulnerability; CVE-2021-44228 is just one of them. Also, make sure all your Chrome installations are using the latest version: https://www.cvedetails.com/cve/CVE-2021-30599/ Finally, CISA has developed an app that will scan your network for apps vulnerable to CVE-2021-44228: https://www.bleepingcomputer.com/news/security/cisa-releases-apache-log4j-scanner-to-find-vulnerable-apps/ Edited January 1, 2022 by itman Link to comment Share on other sites More sharing options...
Saifuddinit 1 Posted January 1, 2022 Author Share Posted January 1, 2022 Hi ItMan I have seen below link i have checked all software in client laptop and there is not impact anything so what cause this happen Link to comment Share on other sites More sharing options...
itman 1,748 Posted January 1, 2022 Share Posted January 1, 2022 17 minutes ago, Saifuddinit said: Hi ItMan I have seen below link i have checked all software in client laptop and there is not impact anything so what cause this happen You have to check all your network devices; client and server devices, for vulnerable software. Not just the laptop where the Eset alert generated. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted January 2, 2022 Administrators Share Posted January 2, 2022 Please provide logs collected with ESET Log Collector which will show the IP address that the attack attempt originated from. Link to comment Share on other sites More sharing options...
itman 1,748 Posted January 2, 2022 Share Posted January 2, 2022 (edited) Here's a specific example of how attackers are exploiting this vulnerability. Hence, the need to scan all installation devices for vulnerable apps and apply vendor supplied patches: Quote The attempted intrusion exploited the newly discovered Log4Shell flaw (CVE-2021-44228, CVSS score: 10.0) to gain access to a vulnerable instance of the VMware Horizon desktop and app virtualization product, followed by running a series of malicious commands orchestrated to fetch threat actor payloads hosted on a remote server. https://thehackernews.com/2021/12/chinese-apt-hackers-used-log4shell.html Edited January 2, 2022 by itman Link to comment Share on other sites More sharing options...
Recommended Posts