Log4Shell Zero Day Vulnerability

Dec 12, 2021

Malware logo

Log4Shell is a zero day vulnerability affecting Java servers and is actively being exploited in the wild. Java is the backend language for a lot of enterprise servers as well as Fortune 1000 websites. If you’re the administrator of such a website, you know that the problem probably won’t get fixed right away because you’ll have a lot of code to audit and/or with everyone working from home, it might prove to be difficult to push new changes out to a live website as fast as you’d like.

To mitigate the problem to give yourself some breathing room and time to fix the problem, there’s a couple of solutions. I will provide the solutions using both iptables (available on most modern Linux distributions) and RouterOS (the operating system used by all MikroTik products). I’ll leave the task of fixing the base problem to your software developers and devops.

The first solution is to block outbound LDAP calls (lightweight directory access protocol). By default LDAP uses port 389 on either TCP or UDP transport protocol.

Using iptables, we could block it as follows:

-A FORWARD -p tcp --dport 389 -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -p udp --dport 389 -j REJECT --reject-with icmp-host-prohibited

Using RouterOS, we could block it as follows:

/ip firewall filter add chain=forward protocol=tcp port=389 action=reject reject-with=icmp-host-prohibited
/ip firewall filter add chain=forward protocol=udp port=389 action=reject reject-with=icmp-host-prohibited

The second solution is to block LDAP in general, in case someone’s chosen to use the non-default port. The common envelope for an LDAP message is the keyword ‘LDAPMessage’, so we can scan for that at layer 7:

Using iptables:
-A FORWARD -m string --alog bm --string "LDAPMessage" -j REJECT --reject-with icmp-host-prohibited

Using RouterOS:
/ip firewall filter add chain=forward protocol=tcp content="LDAPMessage" action=reject reject-with=icmp-host-prohibited

Looking for an IT company, or have a problem today that requires a quick solution?

Let us help guide you on the easy stuff and do the heavy lifting on the more difficult stuff.

Complete the form below and one of our team will help you out.

Recent Posts

Major Online Password Service Compromised

LastPass has been compromised. It's good that they're disclosing it in relatively short order. You might say it was the keys to the kingdom that were stolen. Someone pilfered 'portions' of their source code, and some proprietary technical information. It has not been...

read more