IPS FMC for Log4Shell

In general terms, last week, a zero-day vulnerability called Log4Shell was discovered and could be exploited by remote attackers around the world. A zero-day vulnerability is a vulnerability that has just been discovered and does not yet have a patch to fix it, so the main threat is that, until the patch is released and users install it on their equipment, attackers can exploit the vulnerability and take advantage of this security hole.


That said, a critical remote code execution vulnerability has been revealed in the popular Apache Foundation Log4j library, a logging library designed to replace the built-in log4j package that is often used in popular Java projects like Apache Struts 2 and Apache Solr. This could allow an attacker to take control of an affected server. It can be used in default settings by an unauthenticated remote attacker to point to applications that use the Log4j library.


This vulnerability, called CVE-2021-44228, received a CVSS severity score of at most 10.0 and is widely considered to be easy to exploit.


Cisco has made available some signatures in the IPS packet to detect exploit attempts directed at CVE-2021-44228.

They are: Snort 2 SIDs: 58722 - 58744 and Snort 3 SIDs: 300055 - 300058.


Before do that, you must have the latest rules update package available today (Snort Rule Update 2021 12 11 002 vrt) and the rules must be enabled in all the policies and the policies reapplied in the firewalls.


 

#1) Update your package rules on your FMC:

updates / rule updates / download new rules from the Support Site/ [Import]


#2) Make a filter for CVE:"2021-44228"

policy / intrusion / <your_ftd> / rules / rule content / reference / CVE ID

Under "rules state" select all and choose "drop and generate events".


Click Policy Information, confirm the changes, then Deploy.


gif

56 views0 comments

Recent Posts

See All

The Cisco Integrated Management Interface (CIMC) permits monitoring of the server inventory, health, and system event logs using the built-in Cisco Integrated Management Controller (CIMC) GUI or CLI i

Cisco ISE Upgrade Readiness Tool (URT) helps detect and fix any data upgrade issues before you start the upgrade process. Most of the upgrade failures occur because of data upgrade/corruption issues.

When you try to back up the ISE configuration, the backup process fails even though there is enough disk space available. Follow some steps to fix this issue: ise/admin# show backup status %% Configur