Logsign Multiple Remote Code Execution and Authentication Bypass Vulnerability

漏洞信息

漏洞名称： Logsign Multiple Remote Code Execution and Authentication Bypass Vulnerability

漏洞编号：

• CVE： CVE-2024-5716, CVE-2024-5717, CVE-2024-5718, CVE-2024-5719, CVE-2024-5720, CVE-2024-5721, CVE-2024-5722

漏洞类型： 命令执行

漏洞等级： 高危

漏洞描述： Logsign Unified SecOps Platform是一款集成了多种安全操作功能的企业级安全平台，广泛用于企业安全监控和事件响应。该平台在旧版本中存在多个高危漏洞，包括认证绕过、命令注入和未授权访问等，这些漏洞可能导致远程代码执行。具体来说，CVE-2024-5716是一个认证绕过漏洞，攻击者无需有效凭证即可访问系统功能；CVE-2024-5717、CVE-2024-5719和CVE-2024-5720是命令注入漏洞，攻击者可通过构造恶意请求在服务器上执行任意命令；CVE-2024-5718和CVE-2024-5721是未授权访问漏洞，允许攻击者绕过认证直接执行敏感操作；CVE-2024-5722涉及硬编码的加密密钥，攻击者可利用此漏洞执行远程代码。这些漏洞的存在使得攻击者能够完全控制受影响的系统，导致数据泄露、服务中断等严重后果。由于部分漏洞无需认证即可利用，且可通过自动化工具批量攻击，因此风险极高。

产品厂商： Logsign

产品名称： Logsign Unified SecOps Platform

影响版本： version <= 6.4.7, version <= 6.3.x, version <= 6.2.x

搜索语法： title:”Logsign”

来源： https://github.com/projectdiscovery/nuclei-templates/blob/68cc5412527f6bdc142a5b4e6ae6656ece4d5b65/http%2Fvulnerabilities%2Flogsign%2Flogsign-rce.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: logsign-rce
info:
  name: Logsign Multiple Remote Code Execution and Authentication Bypass Vulnerability
  author: Janke
  severity: High
  description: >
    This template detects multiple vulnerabilities in older versions of Logsign Unified SecOps Platform.
    It covers the following CVE numbers:
    - CVE-2024-5716: Authentication Bypass Vulnerability
    - CVE-2024-5717: Command Injection Vulnerability Leading to Remote Code Execution
    - CVE-2024-5718: Missing Authentication Vulnerability Leading to Remote Code Execution
    - CVE-2024-5719: Another Instance of Command Injection Vulnerability Leading to Remote Code Execution
    - CVE-2024-5720: Yet Another Instance of Command Injection Vulnerability Leading to Remote Code Execution
    - CVE-2024-5721: Another Instance of Missing Authentication Vulnerability Leading to Remote Code Execution
    - CVE-2024-5722: HTTP API Hard-coded Cryptographic Key Vulnerability Leading to Remote Code Execution
  metadata:
    verified: true
    shodan-query: title:"Logsign"
    max-request: 1
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
    cvss-score: 8.6
    cve-id: 
      - CVE-2024-5716
      - CVE-2024-5717
      - CVE-2024-5718
      - CVE-2024-5719
      - CVE-2024-5720
      - CVE-2024-5721
      - CVE-2024-5722
    cwe-id: 
      - CWE-305
      - CWE-94
      - CWE-306
      - CWE-321
  tags: cve, cve2024

requests:
  - method: GET
    path:
      - "{{BaseURL}}/api/settings/license_status"
    headers:
      Host: "{{Hostname}}"
      User-Agent: Mozilla/5.0 (Android 14; Mobile; rv:109.0) Gecko/126.0 Firefox/126.0
      Accept: application/json, text/plain, */*
      Accept-Language: en-US,en;q=0.5
      Accept-Encoding: gzip, deflate, br
      Connection: keep-alive
      Referer: http://{{Hostname}}/ui/modules/login/
    matchers:
      - type: word
        words:
          - '"software_alias": "Siem"'
        condition: and
        part: body
      - type: regex
        regex:
          - '"version": "6\.(4\.[0-7]|3\.\d{1,2}|2\.\d{1,2})"'
        part: body
      - type: status
        status:
          - 200