Hi there,

Random question but is there a way to turn log4j off, disable the expoited mechanism, or indeed do anything other than wait for your FTD firewalls to get expoited in the meantime?

Kind regards,

Oscar

Hello OscarS,

I would like to share this cause we have same concerns. Please see the released article below.

https://www.zdnet.com/article/second-log4j-vulnerability-found-apache-log4j-2-16-0-released/

Our security engineer considered that released Apache version 2.16.0 and sooner will patch for Unifi controller. For the Cisco FTD / ASA deployement, we will wait a little more.

I hope sooner Cisco release the upgraded ios.

Thank you.

Is your FTD firewall FDM-managed? If so, the patch is not yet released (as of 16 December 2021).

If they are FMC-managed (as most are) then they are not vulnerable.

For traffic transiting the firewalls, Cisco released rule updates almost immediately to detect and block attempts to exploit the vulnerability. See this detailed writeup for how to leverage that protection even more:

https://blogs.cisco.com/security/protecting-against-log4j-with-secure-firewall-secure-ips

So are we saying that we believe FDM managed firewalls can be compromised over their Internet facing port using this vulnerability and there is no work around?

As I understand the vulnerability it requires the device to be accessed via an open interface to exploit it. So as long as your FTD isn't set to allow management via the outside interface (which is generally not recommended) then the vulnerability is only exposed via the management interface which is almost always on an internal protected network.

By the way Cisco has updated the security advisory and is now projecting a hotfix for FDM-managed FTD devices to be released next week as follows:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd

Marvin,

Thanks for your reply, that is helpful and reasonable.  I've tried feeding this answer to Cisco TAC for confirmation but they haven't been willing to state that the box cannot be compromised using the public facing interface.   Do you mind me asking what evidence you have seen that the box is not vulnerable on the public side, assuming it is not managed via the public interface?    I'm trying to put minds at ease, but Cisco isn't helping me much here.

Thanks

Caveat - I'm not a pen tester or a developer but am reasonable experienced with managing Cisco firewalls and other security products. So the following is my personal understanding...

The CISA guidance is found here:

https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance

It states in part:

"Immediate Actions to Protect Against Log4j Exploitation
• Discover all internet facing assets that allow data inputs and use Log4j Java library anywhere in the stack.
• Discover all assets that use the Log4j library.
• Update or isolate affected assets. Assume compromise, identify common post-exploit sources and activity, and hunt for signs of malicious activity.
• Monitor for odd traffic patterns (e.g., JDNI LDAP/RMI outbound traffic, DMZ systems initiating outbound connections)."

(my emphasis added)

We check for an ASA or FTD device's listening ports with "show asp table socket". If it reports no listening ports then it is generally safe to assume that data input is not accepted via any of the data plane (i.e. non-management) interfaces.

Thanks that sounds right and shows a good answer (no ports).  

While I was writing this, I noticed what I think is an update because I didn't see this before in the bug confirming your understanding too.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa46963

Only the FTD-API associated with Firepower Device Manager is vulnerable. This is exposed by default on the management interface and the inside data interface (typically port 2) on devices in the on-device manager mode. This API interface can be disabled by configuration from data-plane interfaces. VPN and other features outside of Firepower Device Manager are not vulnerable. Firepower Management Center managed FTD devices are not vulnerable. Workaround: Access Control can be added to both the management and data-plane interfaces to limit who can call this FTD-API interface removing the risk from external actors.

Thanks

@alexbaldwin thanks for highlighting the updated BugID. That officially confirms what I had surmised with the added bit that the VPN service is not vulnerable. Those bits should help alleviate a lot of concern while we wait for a more comprehensive fix via a patch.

Normally mgmt interface should be accessing internet to get smartnet license syncing !! please correct me if im wrong!

also im be able to access my FTDASA device remotely but over our secured vpn connection only !

so whats my status now ? 

BTW  im running 2 ftd device managed by fdm :

Cisco ASA5516-X Threat Defense (75) Version 6.2.2 (Build 81)
Cisco ASA5516-X Threat Defense (75) Version 6.6.1 (Build 91)

please need support to work around and keed my NW safe ? what can i do t?

@amralrazzaz the management interface does access the Internet for Smart license sync, SI updates etc. However it should not be open to incoming traffic initiated from the Internet. That's the primary vector of concern.

The secondary and less concerning vector is from any compromised internal hosts or malicious insiders. You can either accept that risk or implement access control for your management interface while awaiting the pending patch for FTD.

@Marvin Rhoads 

the management interface does access the Internet for Smart license sync, SI updates etc. However it should not be open to incoming traffic initiated from the Internet. That's the primary vector of concern.

May i asked you how to make sure that incoming traffic from internet to mgmt ifc is disabled or block ? how to block incoming and from understanding you keep outgoing traffic for smartnet license and updates!

and as i said i do remote access on ASA using mgmt ifc via company vpn connection! is that consider as incoming traffic to mgmt ifc ?!!

2nd thing what shall i do now till patch is released as i can see they released already hotfix 6.4.0 hotfix (Available) ? how to upload this patch on ASA device? or still not hotfix available till now?

also from inside , i dont have any local asset connect to internet that using apache except ASA DEVICES!? SO IS THAT FINE ?

last this i run this command as per ur recommendations with no result shown as below and what does mean ?

> show asp table socket

Protocol   Socket     State    Local Address      Foreign Address

also how to implement access control for your management interface ??steps please

@amralrazzaz you can restrict access to the management interface as explained in the configuration guide here:

https://www.cisco.com/c/en/us/td/docs/security/firepower/660/fdm/fptd-fdm-config-guide-660/fptd-fdm-system.html#concept_6FFA959431C84299B9EDCF19160266AD

The access to be most concerned about would be from the public Internet - not for you on your VPN connection. Your VPN traffic appears to the management interface after being unencrypted from the VPN tunnel (and still with the inner layer of SSL/TLS encryption used to access FDM).

The (lack of any) output of "show asp table socket" indicates there is not any listening port on the data interfaces.

The just-released hotfix for 6.4.0 only applies to 6.4.0. Other FTD versions will require their own hotfixes which will be released shortly as noted in the security advisory.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd