Logsign patches critical flaws exposing systems to takeover

Logsign has relased updates to mitigatd two security vulnerabilities that could potentially allow threat actors to gain complete control over the system.

Logsign is a cybersecurity platform designed to unify security operations for organizations. It integrates various tools such as Security Information and Event Management (SIEM), User and Entity Behavior Analytics (UEBA), and Threat Detection, Investigation, and Response (TDIR).

The following vulnerabilities, when chained, enable an attacker to first bypass authentication using, then execute arbitrary code

• CVE-2024-5716 (CVSS score not set) - authentication bypass flaw found within the password reset mechanism. This issue arises from the lack of restrictions on excessive password reset attempts. An attacker can exploit this by sending multiple requests to reset the admin’s password, attempting various reset codes until the correct one is brute-forced. Once the correct reset code is obtained, the attacker can reset the admin’s password and gain administrative access to the system.
• CVE-2024-5717 (CVSS score not set) - post-authentication command injection flaw. This issue occurs due to improper validation of user-supplied strings before executing a system call. Although exploiting this vulnerability requires authentication, it can be combined with CVE-2024-5716 to bypass authentication. Once authenticated, the attacker can execute arbitrary code on the system, potentially leading to a reverse shell and complete control over the system.

By exploiting these vulnerabilities together, attackers could, bypass authentication, log in as an administrator and execute arbitrary system commands through the compromised admin account granting root privileges.

Logsign has released a patch addressing these vulnerabilities in version 6.4.8. The release also fixes the following other issues, which don't have a CVSS score yet, but are very serious:

• CVE-2024-5718: Missing Authentication Remote Code Execution Vulnerability - this vulnerability arises from the absence of authentication checks, allowing attackers to execute arbitrary code remotely.
• CVE-2024-5719: Command Injection Remote Code Execution Vulnerability - this flaw involves command injection that enables remote code execution due to improper validation of user inputs.
• CVE-2024-5720: Command Injection Remote Code Execution Vulnerability - this similar command injection vulnerability allows remote code execution, reflecting inadequate input validation measures.
• CVE-2024-5721: Authentication Bypass Vulnerability - this vulnerability allows attackers to bypass authentication mechanisms, leading to unauthorized remote code execution.
• CVE-2024-5722: HTTP API Hard-coded Cryptographic Key Remote Code Execution Vulnerability - this issue involves the use of hard-coded cryptographic keys within the HTTP API, which can be exploited for remote code execution.

Users are strongly advised to update to this version to protect their systems from potential exploits.