CVE-2020-25095
📋 TL;DR
CVE-2020-25095 is a Cross-Site Request Forgery (CSRF) vulnerability in LogRhythm Platform Manager that allows Cross-site WebSocket Hijacking (CSWH). An attacker can trick a logged-in administrator into visiting a malicious website, which then creates a WebSocket connection to the vulnerable server and executes commands with the victim's privileges. This affects LogRhythm Platform Manager administrators who access the web interface.
💻 Affected Systems
- LogRhythm Platform Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through remote command execution, data exfiltration, and complete administrative control over the LogRhythm platform.
Likely Case
Unauthorized command execution leading to data theft, system manipulation, and potential lateral movement within the network.
If Mitigated
Limited impact due to proper network segmentation, web application firewalls, and CSRF protections preventing successful exploitation.
🎯 Exploit Status
Exploitation requires social engineering to get victim to visit malicious site, but technical execution is straightforward once the victim is compromised.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.5.0 and later
Vendor Advisory: https://community.logrhythm.com/t5/Product-Security-Advisories/LogRhythm-Security-Advisory-for-CVE-2020-25095/ta-p/12241
Restart Required: Yes
Instructions:
1. Download LogRhythm Platform Manager version 7.5.0 or later from the LogRhythm support portal. 2. Follow the official upgrade documentation for your deployment. 3. Restart the Platform Manager service after installation.
🔧 Temporary Workarounds
Implement CSRF Tokens
allAdd CSRF protection tokens to all WebSocket connection requests to prevent unauthorized connections.
Requires application code modification - consult LogRhythm documentation for implementation details
Restrict WebSocket Origins
allConfigure the server to only accept WebSocket connections from trusted origins.
Configure web server (Apache/Nginx/IIS) to validate Origin headers in WebSocket handshake requests
🧯 If You Can't Patch
- Implement strict SameSite cookie policies and Content Security Policy (CSP) headers to limit cross-origin requests.
- Segment the LogRhythm Platform Manager network and restrict access to only trusted administrative workstations.
🔍 How to Verify
Check if Vulnerable:
Check the Platform Manager version via the web interface admin panel or system logs. If version is 7.4.9 or earlier, the system is vulnerable.Check Version:
Check the web interface admin dashboard or consult LogRhythm system documentation for version checking commands specific to your deployment.Verify Fix Applied:
Verify the Platform Manager version is 7.5.0 or later and test WebSocket connections with CSRF tokens properly implemented.📡 Detection & Monitoring
Log Indicators:
- Unexpected WebSocket connections from unauthorized origins
- Unusual command execution patterns in Platform Manager logs
- Multiple failed WebSocket handshake attempts
Network Indicators:
- WebSocket traffic from non-administrative IP addresses
- Cross-origin WebSocket requests without proper CSRF tokens
- Unusual WebSocket payload patterns
SIEM Query:
source="logrhythm-pm" AND (websocket_connection="true" AND origin!="trusted-domain.com") OR (command_execution="unexpected")