On December 10th, a zero-day vulnerability (CVE-2021-44228) was discovered in a popular Java-based logging audit framework within Apache called Log4j. Since this disclosure, there has been a deluge of threat actors attempting to discover instances where this vulnerability still exists in order to exploit the issue. Infoblox has been diligently investigating this new threat, and we have concluded that our SaaS products are not subject to this vulnerability at this time. Investigative efforts are still ongoing for all Log4j-related vulnerabilities, including CVE-2017-5645, CVE-2019-17571, CVE-2020-9488, CVE-2021-4104, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832. (See KB Article 000007559).
Our customers have two very important questions: “Are any of the products they use vulnerable to this zero-day?” and “Can their security tools help to detect or prevent adversaries from exploiting the vulnerability?”
It is vital that an organization’s security infrastructure does not itself introduce any security vulnerabilities. Following an exhaustive audit of our solutions, we found that the most recent versions of NIOS 8.4, 8.5 and 8.6, BloxOneDDI, BloxOne Threat Defense or any of our other SaaS offerings are not affected or do not pose an increased risk to the Log4j vulnerabilities listed above.
We are aware that a vulnerability exists in NetMRI. This specific attack vector has dependencies that make successful attacks difficult, and there have been additional mitigations put into place., The presence of this vulnerability does not increase the risk profile of the system. A hotfix has been developed and is available to customers on the Infoblox Support portal. When AutoUpdate is enabled, the hotfix has already been pushed to customer devices. This hotfix has been tested by our internal Red Team and confirmed that NetMRI with the hotfix applied is not vulnerable to the Log4j vulnerabilities. Customers can access additional technical details at our KB (see KB Article 000007559).
The Infoblox Product Security Incident Response Team (PSIRT) monitors these types of issues and has been engaged since the initial disclosure. We immediately started our investigation to understand the potential impact to our products and infrastructure with a focus on the presence of Log4j and its versions.
Once we had this view, our internal Red Team was able to create a test to validate if an instance of Log4j in our environment could be exploited. This rigorous process provides us with confidence in the results as to the exploitability of our products. We will continue to monitor the situation and test our products as new vulnerabilities are discovered.
Infoblox continues to scan our internal network for applications and systems. We employ security systems that can detect and prevent attempted exploits of this vulnerability in our environment.
The Infoblox Security Compliance team has also contacted our subprocessors to confirm whether they have checked their systems for vulnerabilities, are remediating any issues found, and also to confirm that they have also performed due diligence on their subprocessors / downstream vendors.
How can Infoblox help?
During Infoblox’s due diligence involving this vulnerability, it has uncovered evidence of invalid DNS queries that we believe may be associated with adversary groups attempting to exploit systems.
Using this methodology, we have uncovered several customers that may have been impacted by CVE-2021-44228 in a manner unrelated to the Infoblox product line. We have already communicated directly with impacted organizations and are working to help them remediate this threat as quickly as possible and limit their exposure.
Infoblox’s Threat Intelligence team is actively hunting for and tracking attacks related to this vulnerability. Due to the serious nature of the threat, Infoblox will add all suspicious indicators to our MalwareC2_Generic threat feeds. As Infoblox learns more about the threats involved, we will continue to update our Threat Intelligence feeds.
For a more detailed analysis of the vulnerability exploitation, please read this Cyber Campaign Brief or watch the video below.