we are providing DevOps and security teams script to identify cloud workloads that may be vulnerable to the Log4j vulnerability(log4shell) in their AWS account. We currently support "CVE-2021-44228" and "CVE-2021-45046" RCE vulnerabilities. The script enables security teams to identify external-facing AWS assets by running the exploit on them, and thus be able to map them and quickly patch them
- Information about CVE-2021-44228: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
- Information about CVE-2021-45046: https://nvd.nist.gov/vuln/detail/CVE-2021-45046
- central updated location which outlines everything you need to know about Log4Shell: https://www.mitiga.io/blog/log4shell-everything-in-one-place
- Algorithm drill-down: https://www.mitiga.io/blog/log4shell-identify-vulnerable-external-facing-workloads-in-aws-tutorial
- Scans the resources in all regions
- Scans all the compute resources which exposed to the internet
- Ability to execute it with a proxy
- Supporting multiple ways to configure the AWS credentials using AWS known environment variables: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html
- cPython 3.6 and higher
- install the required Python packages:
pip3 install -r requirements.txt
* AWS permissions to scans the resources: .. code-block:: json
- {
"Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeSecurityGroups", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:DescribeTargetGroupAttributes", "elasticloadbalancing:DescribeTargetGroups", ], "Resource": "*" } ]
}
Before Execution The Script ######## You need a server which will wait for DNS requests from the vulnerable endpoints, For this demo we are using: interactsh, which is an external tool You can use interactsh client or Interactsh web app
- 2. Execute the main.py script with argument:
- '--dest-domain' - for the server which will get the response from the vulnerable endpoint
- '--cve-id' - the CVE to check(CVE-2021-44228, CVE-2021-45046)
- (optional) '--proxies' - If you run the requests from a proxy server
- examples:
Finding Vulnerable Endpoints ######## the vulnerable endpoints should send DNS requests to your server with the format:
- EC2 instances: '{instance id}.{destination domain}'. example: i-092ed1f7d1230bb9a.test.interactsh.com
- Load Balancers: '{load balancer name}.{destination domain}'. example: lb-name.test.interactsh.com
cli example:
web example:
This project should be used only for educational purposes. The project does not replace a mature remediation plan and does not provide full coverage on external-facing or vulnerable assets. Mitiga does not hold responsibility for any damage caused by using this project.