.. image:: images/Mitiga_logo.png

we are providing DevOps and security teams script to identify cloud workloads that may be vulnerable to the Log4j vulnerability(log4shell) in their AWS account.
We currently support *"CVE-2021-44228"* and *"CVE-2021-45046"* RCE vulnerabilities. The script enables security teams to identify external-facing AWS assets by running the exploit on them, and thus be able to map them and quickly patch them

General Information

- Information about CVE-2021-44228:
- Information about CVE-2021-45046:
- central updated location which outlines everything you need to know about Log4Shell:
- Algorithm drill-down:

* Scans the resources in all regions
* Scans all the compute resources which exposed to the internet
* Ability to execute it with a proxy
* Supporting multiple ways to configure the AWS credentials using AWS known environment variables: `<>`_

Installation / Requirements
* cPython 3.6 and higher
* install the required Python packages:
    .. code-block:: console

        pip3 install -r requirements.txt

* AWS permissions to scans the resources:
.. code-block:: json

        "Version": "2012-10-17",
        "Statement": [
                "Effect": "Allow",
                "Action": [
                "Resource": "*"

Before Execution The Script
You need a server which will wait for DNS requests from the vulnerable endpoints,
For this demo we are using: `interactsh <>`_, which is an **external** tool You can use interactsh client or `Interactsh web app <>`_

1. Get the URL address for the DNS requests. Using 'interactsh' you can find it in the client app here:
    .. image:: images/interactshdomain.png
    or using the web app:
        .. image:: images/webinteractsh.png

2. Execute the script with argument:
    * *'--dest-domain'* - for the server which will get the response from the vulnerable endpoint
    * *'--cve-id'* - the CVE to check(CVE-2021-44228, CVE-2021-45046)
    * (optional) *'--proxies'* - If you run the requests from a proxy server
    .. code-block:: console
        # Checking the oldest CVE(CVE-2021-44228)
        python3 --dest-domain
        # Checking with CVE-2021-45046
        python3 --dest-domain --cve-id=CVE-2021-45046
        # Checking the oldest CVE(CVE-2021-44228), using proxies
        python3 --dest-domain --proxies

Finding Vulnerable Endpoints
the vulnerable endpoints should send DNS requests to your server with the format:

- EC2 instances: '{instance id}.{destination domain}'. example: **
- Load Balancers: '{load balancer name}.{destination domain}'. example: **

cli example:

.. image:: images/interactshresult.png

web example:

.. image:: images/webinteractsh_result.png

This project should be used only for educational purposes. The project does not replace a mature remediation plan and does not provide full coverage on external-facing or vulnerable assets. Mitiga does not hold responsibility for any damage caused by using this project.