www.belgium.be Logo of the federal government

WARNING: CRITICAL ZERO-DAY IN SCIENCELOGIC SL1 REMOTE CODE EXECUTION, PATCH IMMEDIATELY!

Reference: 
Advisory #2024-248
Version: 
1.0
Affected software: 
ScienceLogic SL1 before versions 12.1.3+, 12.2.3+, and 12.3+.
Type: 
Remote code execution vulnerability
CVE/CVSS: 

CVE-2024-9537: CVSS 9.3
(CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Red)

Sources

Risks

A critical zero-day vulnerability (CVE-2024-9537) has been identified in ScienceLogic SL1 (formerly EM7), a platform used for infrastructure monitoring, issue detection, and automation. This platform can integrate with other tools, such as ServiceNow for incident management. The vulnerability exists in a third-party component packaged with ScienceLogic SL1 and has now been added to the CISA Known Exploited Vulnerabilities (KEV) list, signaling that it is actively targeted by threat actors.

The primary risk posed by this vulnerability is remote code execution (RCE), which can enable attackers to take full control of compromised systems. Once exploited, threat actors could access critical IT systems, manipulate data, and disrupt operations, posing a severe threat. For organizations relying on ScienceLogic SL1, this could result in data breaches, compromised systems and system downtime, severely impacting business continuity.

Given the critical nature of this vulnerability and its addition to the CISA KEV list, we strongly urge you to update your systems immediately to mitigate the risk.

Description

CVE-2024-9537: ScienceLogic SL1 (Remote Code Execution, Critical)
A vulnerability in an unspecified third-party component bundled with ScienceLogic SL1 could allow for remote code execution. This flaw affects multiple versions of SL1 and has been addressed in versions 12.1.3+, 12.2.3+, and 12.3+. Remediations have been made available for all SL1 versions back to version lines 10.1.x, 10.2.x, 11.1.x, 11.2.x, and 11.3.x.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority.

Monitor/Detect

Since this vulnerability may already be exploited, the CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/en/cert/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References