The Palo Alto Networks Prisma Cloud (CSPM and CWPP) not only can help the organizations to discover the impacted resources, but can also protect the exploit from happening.
Vulnerabilities or CVEs are publicly disclosed security vulnerabilities that threat actors can exploit to gain unauthorized access to systems or networks. CVEs are widely present in programs and operating systems until an organization works to remediate the known CVEs. The list of known vulnerabilities continues to increase daily, and the prioritization of these vulnerabilities change rapidly as exploits are found.
This article will guide you on leveraging the Prisma Cloud Product to gain visibility of your cloud resources affected by any vulnerabilities/CVEs. In this article, we will use Log4Shell and/or SpringShell as an example of a vulnerability to demonstrate how Prisma Cloud can help with understanding your Attack Surface.
The Prisma Cloud Intelligence Stream (IS) automatically updates to include the vulnerability information from official vendor feeds. This allows Prisma Cloud to directly reflect any updates or analysis by Linux distribution and application maintainers, allowing Prisma Cloud to detect any affected hosts, images, containers and functions.
The good news is that Prisma Cloud users can easily detect software components affected by these vulnerabilities.
Figure 1: Log4Shell CVEs in the Intelligence Stream_PaloAltoNetworks
Prisma Cloud’s Resource Query Language (RQL) provides a quick and easy way to query for the resources impacted. In this case, users can utilize the Prisma Cloud platform's capabilities to isolate assets with vulnerabilities and prioritize further by looking for internet-exposed assets receiving traffic.
The below RQL lists the instances in your cloud that have the Log4Shell (CVE-2021-44228) and/or SpringShell (CVE-2022-22963 or CVE-2022-22965) specific vulnerabilities.
Note: RQL is only applicable to Prisma Cloud SaaS.
config from cloud.resource where finding.type IN ( 'Host Vulnerability', 'Serverless Vulnerability', 'AWS GuardDuty Host') AND finding.name IN ('CVE-2022-22963', 'CVE-2022-22965', 'CVE-2021-44228')
Figure 2: Config RQL to discover the vulnerable instances_PaloAltoNetworks
Here is the RQL to understand the Internet-exposed instances that are receiving traffic in your cloud and have the Log4Shell (CVE-2021-44228) and/or SpringShell (CVE-2022-22963 or CVE-2022-22965) specific vulnerabilities:
network from vpc.flow_record where bytes > 0 AND source.resource IN ( resource where finding.type IN ( 'Host Vulnerability', 'AWS GuardDuty Host') AND finding.source IN ( 'Prisma Cloud' ) AND finding.name IN ('CVE-2022-22963', 'CVE-2022-22965', 'CVE-2021-44228') ) AND destination.publicnetwork IN ('Internet IPs', 'Suspicious IPs')
In addition, RQL Prisma Cloud Compute can help to search for the specific CVE in Vulnerability Explorer where Defender agents are deployed.
Note: Prisma Cloud Compute needs to be enabled to view the Vulnerability Explorer within Prisma Cloud SaaS.
Figure 3: CVE search result in Vulnerability Explorer_PaloAltoNetworks
The below image is an example of container details where CVE-2022-22965 is shown as Critical.
Figure 4: Image scan details_PaloAltoNetworks
Prisma Cloud can help in detecting all vulnerable instances in your deployments for any known vulnerability/CVE. Prisma Cloud may also be configured to fully prevent running any vulnerable images or hosts.
We used the example of the Log4Shell and SpringShell vulnerabilities, and the same process can be used with other high-impact vulnerabilities. In this post, we discussed some detection and prevention strategies, using an example set of CVEs, and showcased detection capabilities of the Prisma Cloud Security Platform.
A complete proof-of-concept of Prisma Cloud protections for Log4Shell exploits, including runtime and WAAS protections, can be found in this video.
CVE-2022-22965: Spring Core Remote Code Execution Vulnerability Exploited In the Wild (SpringShell)
Another Apache Log4j Vulnerability Is Actively Exploited in the Wild (CVE-2021-44228)
RD Singh and Muhammad Rehan are Senior Customer Success Engineers specializing in Prisma Cloud, Next-Generation Firewall, AWS, Azure, GCP, containers and Kubernetes. They use collaborative approaches to break down complex problems into solutions for global enterprise customers and leverage their multi industry knowledge to inspire success.
