Logsign Unified SecOps Platform Multiple Remote Code Execution and Authentication Bypass Vulnerability

漏洞信息

漏洞名称： Logsign Unified SecOps Platform Multiple Remote Code Execution and Authentication Bypass Vulnerability

漏洞编号：

• CVE： CVE-2024-5716, CVE-2024-5717, CVE-2024-5718, CVE-2024-5719, CVE-2024-5720, CVE-2024-5721, CVE-2024-5722

漏洞类型： 命令执行

漏洞等级： 高危

漏洞描述： Logsign Unified SecOps Platform是一款集成了安全信息和事件管理(SIEM)、用户行为分析(UEBA)、网络流量分析(NTA)等多种安全功能的统一安全运营平台。它广泛应用于企业级安全监控和威胁检测，帮助组织实现全面的安全态势感知和快速响应。该平台在旧版本中存在多个高危漏洞，包括认证绕过、命令注入和缺失认证等，这些漏洞可能导致远程代码执行。具体来说，CVE-2024-5716是一个认证绕过漏洞，攻击者可以利用此漏洞绕过认证机制直接访问受限资源。CVE-2024-5717、CVE-2024-5719和CVE-2024-5720是命令注入漏洞，攻击者可以通过构造恶意输入在服务器上执行任意命令。CVE-2024-5718和CVE-2024-5721是缺失认证漏洞，攻击者无需认证即可执行某些操作。CVE-2024-5722是一个硬编码加密密钥漏洞，攻击者可以利用此密钥执行远程代码。这些漏洞的存在使得攻击者可以完全控制受影响的系统，导致数据泄露、服务中断等严重后果。由于部分漏洞无需认证即可利用，且可以自动化攻击，因此风险极高。

产品厂商： Logsign

产品名称： Logsign Unified SecOps Platform

影响版本： version <= 6.4.7, 6.3.x, 6.2.x

搜索语法： title:”Logsign”

来源： https://github.com/projectdiscovery/nuclei-templates/blob/06f25608f3073dd7b81a6798bd83c39bf5d0140e/http%2Fvulnerabilities%2Flogsign%2Flogsign-rce.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: logsign-rce
info:
  name: Logsign Multiple Remote Code Execution and Authentication Bypass Vulnerability
  author: sevbandonmez
  severity: High
  description: >
    This template detects multiple vulnerabilities in older versions of Logsign Unified SecOps Platform.
    It covers the following CVE numbers:
    - CVE-2024-5716: Authentication Bypass Vulnerability
    - CVE-2024-5717: Command Injection Vulnerability Leading to Remote Code Execution
    - CVE-2024-5718: Missing Authentication Vulnerability Leading to Remote Code Execution
    - CVE-2024-5719: Another Instance of Command Injection Vulnerability Leading to Remote Code Execution
    - CVE-2024-5720: Yet Another Instance of Command Injection Vulnerability Leading to Remote Code Execution
    - CVE-2024-5721: Another Instance of Missing Authentication Vulnerability Leading to Remote Code Execution
    - CVE-2024-5722: HTTP API Hard-coded Cryptographic Key Vulnerability Leading to Remote Code Execution
  metadata:
    verified: true
    shodan-query: title:"Logsign"
    max-request: 1
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
    cvss-score: 8.6
    cve-id: 
      - CVE-2024-5716
      - CVE-2024-5717
      - CVE-2024-5718
      - CVE-2024-5719
      - CVE-2024-5720
      - CVE-2024-5721
      - CVE-2024-5722
    cwe-id: 
      - CWE-305
      - CWE-94
      - CWE-306
      - CWE-321
  tags: cve, cve2024

requests:
  - method: GET
    path:
      - "{{BaseURL}}/api/settings/license_status"
    headers:
      Host: "{{Hostname}}"
      User-Agent: Mozilla/5.0 (Android 14; Mobile; rv:109.0) Gecko/126.0 Firefox/126.0
      Accept: application/json, text/plain, */*
      Accept-Language: en-US,en;q=0.5
      Accept-Encoding: gzip, deflate, br
      Connection: keep-alive
      Referer: http://{{Hostname}}/ui/modules/login/
    matchers:
      - type: word
        words:
          - '"software_alias": "Siem"'
        condition: and
        part: body
      - type: regex
        regex:
          - '"version": "6\.(4\.[0-7]|3\.\d{1,2}|2\.\d{1,2})"'
        part: body
      - type: status
        status:
          - 200