Logsign, a web server built on Python for Unified Security Operations (SecOps), has successfully addressed critical vulnerabilities that could potentially enable threat actors to gain full control over the system.
The vulnerabilities, identified as CVE-2024-5716 and CVE-2024-5717, can be combined to achieve remote, unauthenticated code execution via HTTP requests.
Logsign gives security analysts complete visibility and control over their data lake. They can collect and store unlimited data, investigate and detect threats, and respond automatically.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
CVE-2024-5716: Authentication Bypass
The first vulnerability, CVE-2024-5716, is an authentication bypass flaw within the password reset mechanism. This issue arises from the lack of restrictions on excessive password reset attempts. An attacker can exploit this by sending multiple requests to reset the admin’s password until they brute force the correct reset code. Once the correct reset code is obtained, the attacker can reset the admin’s password and gain administrative access to the system.
CVE-2024-5717: Post-Auth Command Injection
The second vulnerability, CVE-2024-5717, is a post-authentication command injection flaw. This vulnerability allows authenticated users to execute arbitrary code on the system due to improper validation of user-supplied strings before executing a system call. Although authentication is required to exploit this vulnerability, it can be bypassed using the authentication bypass flaw (CVE-2024-5716).
According to Trend Micro Zero Day Initiative (ZDI), an attacker can achieve remote, unauthenticated code execution by combining these vulnerabilities. The exploit involves using CVE-2024-5716 to reset the admin’s password and log in with the new credentials.
Once authenticated, the attacker can exploit CVE-2024-5717 to execute arbitrary commands as the root user. This can be used to gain a reverse shell, providing the attacker with complete control over the system.
Exploiting these vulnerabilities in tandem, attackers could:
- Bypass authentication via the password reset flaw
- Log in as an administrator
- Execute arbitrary system commands through the demo mode feature
This attack chain grants full control over the Logsign server, running with root privileges.
Mitigation
Logsign has patched these vulnerabilities in version 6.4.8. Users are strongly advised to update to this version to protect their systems from potential exploits. Additionally, performing a full audit of the software is recommended to identify and fix any other potential vulnerabilities.
These vulnerabilities highlight the importance of robust authentication mechanisms and proper input validation to prevent such critical security issues.
"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo