Understanding the Attack Surface Using Prisma Cloud SaaS

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
L4 Transporter
100% helpful (2/2)

By RD Singh, Senior Customer Success Engineer

and Muhammad Rehan, Senior Customer Success Engineer

 

 

Recent Log4Shell and SpringShell vulnerabilities created havoc for many organizations struggling to discover the impacted resources. The Palo Alto Networks Prisma Cloud (CSPM and CWPP) not only can help the organizations to discover the impacted resources, but can also protect the exploit from happening.

 

In this article, we will walk you through how to leverage the Prisma Cloud Product in order to gain visibility of your cloud resources.

 

How Prisma Cloud Can Help

 

The Palo Alto Networks Prisma Cloud Security Platform can detect and identify Log4Shell and SpringShell attack payloads sent to applications. The good news is that Prisma Cloud users can easily detect software components affected by these vulnerabilities. 

 

The Prisma Cloud Intelligence Stream (IS) automatically updates to include the vulnerability information from official vendor feeds. This allows Prisma Cloud to directly reflect any updates or analysis by Linux distribution and application maintainers, allowing Prisma Cloud to detect any affected hosts, images, containers and functions.



RPrasadi_0-1657298712983.png

Figure 1: Log4Shell CVEs in the Intelligence Stream_palo-alto-networks

 

Query Your Environment for Impacted Resources

 

Prisma Cloud’s Resource Query Language (RQL) provides a quick and easy way to query for resources impacted. In this case, users can utilize the Prisma Cloud platform's capabilities to isolate assets with vulnerabilities and prioritize further by looking for internet-exposed assets receiving traffic.

 

The below RQL lists the instances in your cloud that have the Log4Shell (CVE-2021-44228) and/or SpringShell (CVE-2022-22963 or CVE-2022-22965) specific vulnerabilities. 

 

Note: RQL is only applicable to the Prisma Cloud SaaS.

 

config from cloud.resource where finding.type IN ( 'Host Vulnerability', 'Serverless Vulnerability', 'AWS GuardDuty Host') AND finding.name IN ('CVE-2022-22963', 'CVE-2022-22965', 'CVE-2021-44228')

 

RPrasadi_1-1657298713002.png

Figure 2: Config RQL to discover the vulnerable instances_palo-alto-networks

 

Here is the RQL to know the Internet exposed instances that are receiving traffic in your cloud and have the Log4Shell (CVE-2021-44228) and/or SpringShell (CVE-2022-22963 or CVE-2022-22965) specific vulnerabilities:

 

network from vpc.flow_record where bytes > 0 AND source.resource IN ( resource where finding.type IN ( 'Host Vulnerability', 'AWS GuardDuty Host') AND finding.source IN ( 'Prisma Cloud' ) AND finding.name IN ('CVE-2022-22963', 'CVE-2022-22965', 'CVE-2021-44228') ) AND destination.publicnetwork IN ('Internet IPs', 'Suspicious IPs')

 

RPrasadi_2-1657298713083.png

Figure 3: Config RQL to discover the vulnerable instances_palo-alto-networks

 

In addition to RQL Prisma Cloud Compute can help to search for the specific CVE in Vulnerability Explorer where Defender agents are deployed.

 

Note: The Prisma Cloud Compute needs to be enabled to view the Vulnerability Explorer within the Prisma Cloud SaaS.

 

RPrasadi_3-1657298712981.png

Figure 4: CVE search result in Vulnerability Explorer_palo-alto-networks



The below screenshot is an example of container image details where CVE-2022-22965 is shown as Critical.

 

RPrasadi_4-1657298713080.pngFigure 5: Image details_palo-alto-networks




Conclusion

 

The Log4Shell and SpringShell vulnerabilities are high-impact vulnerabilities that are easy for attackers to exploit and have far-reaching consequences on the industry as a whole. In this post, we discussed some detection and prevention strategies for these particular vulnerabilities, and showcased detection capabilities of the Prisma Cloud Security Platform. 

 

Prisma Cloud can help in detecting all vulnerable instances in your deployments. Prisma Cloud may also be configured to fully prevent running any vulnerable images or hosts.

 

A complete proof-of-concept of Prisma Cloud protections for Log4Shell exploits, including runtime and WAAS protections, can be found in this video.




References :

 

https://unit42.paloaltonetworks.com/cve-2022-22965-springshell/

https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/

 

About the Authors:

 

RD Singh and Muhammad Rehan are senior customer success engineers specializing in Prisma Cloud, Next-Generation Firewall, AWS, Azure, GCP, containers and Kubernetes. They use collaborative approaches to break down complex problems into solutions for global enterprise customers and leverage their multi industry knowledge to inspire success. 

 

 

Rate this article:
(1)
Comments
L1 Bithead

this is great stuff and insights! thank you. 

  • 3413 Views
  • 1 comments
  • 3 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎09-26-2023 01:07 PM
Updated by: