This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Community FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Firewall detects traffic to recognition.lansweeper.com/3/devrecog as critical Log4j vulnerability

Go to solution
daveb
Engaged Sweeper II

‎06-13-2023 03:45 PM - last edited 2 weeks ago by Community Manager

Hello,

Is the endpoint at recognition.lansweeper.com/3/devrecog using log4j?

Palo alto is classifying this traffic from our on-prem LS instance to the above endpoint as a critical vulnerability (2 threat IDs), and will be blocked once we turn up our vulnerability protection profile settings.  Any idea why Palo is seeing this outbound traffic as a threat?

thanks

Labels:
0 Kudos
1 ACCEPTED SOLUTION
Go to solution
Obi_1_Cinobi
Lansweeper Tech Support
Lansweeper Tech Support

‎06-15-2023 08:45 AM

Hello there!

The Lansweeper services running locally on your Lansweeper server will not send out any Log4j-related traffic. We have thoroughly investigated our internal and customer-facing systems, the software we deliver, and its components and interactions. None are directly affected by the log4j vulnerability. Some of our cloud systems have been indirectly affected due to running on AWS, which AWS has since patched.

The URL in particular, https://recognition.lansweeper.com, is used by your scanning service in the context of credential-free device recognition (CDR): 

This endpoint does not use a log4j v2 library, LDAP auth, or the JNDI API. However, it has a component utilizing a log4j library of an unaffected version without calling any of the affected protocols, functions, or methods.  If you see a detection related to this URL, it can be deemed a false positive. 

It is essential to remember that if you're running external vulnerability scanners, these may currently be sending out test connections or even injecting strings into your ongoing connections to probe and check for the Log4Shell vulnerability. For example, we've had some reports from customers where their vulnerability scanner injected strings into their connections to external Lansweeper endpoints, causing their firewall to flag the connections as vulnerable and preventing them. In other words, vulnerability scans and probes from system A might cause security system B to detect them as a vulnerability.

Lastly, since your internal security equipment is blocking your scan server access to recognition.lansweeper.com, you might receive a notification in Lansweeper that CDR is not working/has no access to the internet.  To resume the functionality of CDR, you will need to allow traffic to the following endpoints:

View solution in original post

2 REPLIES 2
Go to solution
Obi_1_Cinobi
Lansweeper Tech Support
Lansweeper Tech Support

‎06-15-2023 08:45 AM

Hello there!

The Lansweeper services running locally on your Lansweeper server will not send out any Log4j-related traffic. We have thoroughly investigated our internal and customer-facing systems, the software we deliver, and its components and interactions. None are directly affected by the log4j vulnerability. Some of our cloud systems have been indirectly affected due to running on AWS, which AWS has since patched.

The URL in particular, https://recognition.lansweeper.com, is used by your scanning service in the context of credential-free device recognition (CDR): 

This endpoint does not use a log4j v2 library, LDAP auth, or the JNDI API. However, it has a component utilizing a log4j library of an unaffected version without calling any of the affected protocols, functions, or methods.  If you see a detection related to this URL, it can be deemed a false positive. 

It is essential to remember that if you're running external vulnerability scanners, these may currently be sending out test connections or even injecting strings into your ongoing connections to probe and check for the Log4Shell vulnerability. For example, we've had some reports from customers where their vulnerability scanner injected strings into their connections to external Lansweeper endpoints, causing their firewall to flag the connections as vulnerable and preventing them. In other words, vulnerability scans and probes from system A might cause security system B to detect them as a vulnerability.

Lastly, since your internal security equipment is blocking your scan server access to recognition.lansweeper.com, you might receive a notification in Lansweeper that CDR is not working/has no access to the internet.  To resume the functionality of CDR, you will need to allow traffic to the following endpoints:

Go to solution
daveb
Engaged Sweeper II
In response to Obi_1_Cinobi

‎06-15-2023 03:48 PM

I appreciate the info.  We arent scanning endpoints.  This is being detected in the outbound traffic flow from an on-prem instance of lansweeper to that internet based recognition endpoint.   we arent blocking the traffic yet, but it came up when auditing what traffic would be affected once we do turn up the vulnerability protection profile on our firewall.

it may be helpful to reach out to Palo Alto to figure out why their firewalls see this traffic as a critical severity vulnerability detection.  could possibly get an 'app-id' assigned to lansweeper traffic too.  🙂

thanks again!

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now