www.belgium.be Logo of the federal government

WARNING: VULNERABILITIES FOUND IN LOGSIGN UNIFIED SECOPS THAT COULD LEAD TO RCE

Referentie: 
Advisory #2024-103
Versie: 
1.0
Geïmpacteerde software: 
Logsign Unified SecOps platform
Type: 
Authentication Bypass, Command Injection (post-auth)
CVE/CVSS: 

CVE-2024-5716, no CVSS available yet.
CVE-2024-5717, no CVSS available yet.

Bronnen

https://support.logsign.net/hc/en-us/articles/19316621924754-03-06-2024-Version-6-4-8-Release-Notes
https://www.zerodayinitiative.com/blog/2024/7/1/getting-unauthenticated-remote-code-execution-on-the-logsign-unified-secops-platform

Risico’s

Two separate vulnerabilities, CVE-2024-5716 and CVE-2024-5717, could be combined to achieve remote, unauthenticated code execution on the web server via HTTP requests which could result in an intrusion by a remote attacker. There is no CVSS calculated by the vendor, but high impact on confidentiality, availability, and integrity is very likely.

The Logsign Unified SecOps platform is a software platform for security operations. It delivers comprehensive threat detection, investigation, and response (TDIR) through integrated SIEM, SOAR, UEBA, and TI capabilities

The Centre for Cybersecurity Belgium (CCB) recommends system administrators patch vulnerable systems as soon as possible and to follow the additional measures as recommended by the vendor. Analyse system and network logs for any suspicious activity. This report has instructions to help your organisation.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

Beschrijving

Multiple vulnerabilities were fixed by the vendor, of which 2 vulnerabilities could result in RCE if these 2 vulnerabilities are chained:

·       CVE-2024-5716 – Authentication Bypass – Vulnerability CVE-2024-5716 allows remote attackers to bypass authentication on affected installations of Logsign Unified SecOps Platform. The specific flaw exists within the password reset mechanism. The issue results from the lack of restrictions on excessive password reset attempts.

·       CVE-2024-5717 – Command Injection (post-auth) – This vulnerability CVE-2024-5717 allows remote attackers to execute arbitrary code on affected installations of Logsign Unified SecOps Platform. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.

Patched versions are available on the website of the vendor: https://support.logsign.net/hc/en-us/articles/19316621924754-03-06-2024-Version-6-4-8-Release-Notes

Aanbevolen acties

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

The latest version of the involved product can be found on their website:

https://support.logsign.net/hc/en-us/articles/19316621924754-03-06-2024-Version-6-4-8-Release-Notes

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

Referenties

https://support.logsign.net/hc/en-us/articles/19316621924754-03-06-2024-Version-6-4-8-Release-Notes
https://www.zerodayinitiative.com/blog/2024/7/1/getting-unauthenticated-remote-code-execution-on-the-logsign-unified-secops-platform