This guide describes how to configure agentless vulnerability and compliance scanning for virtual machines in Microsoft Azure subscriptions.
This article will use a credential dedicated to the agentless scanning process. In Prisma Cloud Enterprise Edition / SaaS, you have the additional option of using a Prisma Cloud onboarded account credential which will be covered in a future article. The creation and use of an Azure service principal credential are also supported in SaaS.
Understanding the Attack Surface Using Prisma Cloud SaaS
by RD Singh and Muhammad Rehan
Recent Log4Shell and SpringShell vulnerabilities created havoc for many organizations struggling to discover the impacted resources. The Palo Alto Networks Prisma Cloud (CSPM and CWPP) not only can help the organizations to discover the impacted resources, but can also protect the exploit from happening.
In this article, we will walk you through how to leverage the Prisma Cloud Product in order to gain visibility of your cloud resources.
How Prisma Cloud Can Help
The Palo Alto Networks Prisma Cloud Security Platform can detect and identify Log4Shell and SpringShell attack payloads sent to applications. The good news is that Prisma Cloud users can easily detect software components affected by these vulnerabilities.
The Prisma Cloud Intelligence Stream (IS) automatically updates to include the vulnerability information from official vendor feeds. This allows Prisma Cloud to directly reflect any updates or analysis by Linux distribution and application maintainers, allowing Prisma Cloud to detect any affected hosts, images, containers and functions.
Figure 1: Log4Shell CVEs in the Intelligence Stream
Query Your Environment for Impacted Resources
Prisma Cloud’s Resource Query Language (RQL) provides a quick and easy way to query for resources impacted. In this case, users can utilize the Prisma Cloud platform's capabilities to isolate assets with vulnerabilities and prioritize further by looking for internet-exposed assets receiving traffic.
The below RQL lists the instances in your cloud that have the Log4Shell (CVE-2021-44228) and/or SpringShell (CVE-2022-22963 or CVE-2022-22965) specific vulnerabilities.
Note: RQL is only applicable to the Prisma Cloud SaaS.
config from cloud.resource where finding.type IN ( 'Host Vulnerability', 'Serverless Vulnerability', 'AWS GuardDuty Host') AND finding.name IN ('CVE-2022-22963', 'CVE-2022-22965', 'CVE-2021-44228')
Figure 2: Config RQL to discover the vulnerable instances
Here is the RQL to know the Internet exposed instances that are receiving traffic in your cloud and have the Log4Shell (CVE-2021-44228) and/or SpringShell (CVE-2022-22963 or CVE-2022-22965) specific vulnerabilities:
network from vpc.flow_record where bytes > 0 AND source.resource IN ( resource where finding.type IN ( 'Host Vulnerability', 'AWS GuardDuty Host') AND finding.source IN ( 'Prisma Cloud' ) AND finding.name IN ('CVE-2022-22963', 'CVE-2022-22965', 'CVE-2021-44228') ) AND destination.publicnetwork IN ('Internet IPs', 'Suspicious IPs')
Figure 3: Config RQL to discover the vulnerable instances
In addition to RQL Prisma Cloud Compute can help to search for the specific CVE in Vulnerability Explorer where Defender agents are deployed.
Note: The Prisma Cloud Compute needs to be enabled to view the Vulnerability Explorer within the Prisma Cloud SaaS.
Figure 4: CVE search result in Vulnerability Explorer
The below screenshot is an example of container image details where CVE-2022-22965 is shown as Critical.
Figure 5: Image details
The Log4Shell and SpringShell vulnerabilities are high-impact vulnerabilities that are easy for attackers to exploit and have far-reaching consequences on the industry as a whole. In this post, we discussed some detection and prevention strategies for these particular vulnerabilities, and showcased detection capabilities of the Prisma Cloud Security Platform.
Prisma Cloud can help in detecting all vulnerable instances in your deployments. Prisma Cloud may also be configured to fully prevent running any vulnerable images or hosts.
A complete proof-of-concept of Prisma Cloud protections for Log4Shell exploits, including runtime and WAAS protections, can be found in this video .
About the Authors:
RD Singh and Muhammad Rehan are senior customer success engineers specializing in Prisma Cloud, Next-Generation Firewall, AWS, Azure, GCP, containers and Kubernetes. They use collaborative approaches to break down complex problems into solutions for global enterprise customers and leverage their multi industry knowledge to inspire success.