CVE-2024-33860
📋 TL;DR
This Local File Inclusion vulnerability in Logpoint versions before 7.4.0 allows attackers to read arbitrary files on the system through the File System Collector. Attackers can view sensitive file contents in incoming logs. This affects all Logpoint deployments using vulnerable versions.
💻 Affected Systems
- Logpoint
📦 What is this software?
Siem by Logpoint
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through reading sensitive files like /etc/shadow, SSH keys, or configuration files containing credentials, potentially leading to privilege escalation or lateral movement.
Likely Case
Unauthorized access to sensitive system files, configuration files, or application data, resulting in information disclosure and potential credential theft.
If Mitigated
Limited impact with proper file permissions and network segmentation, though sensitive information could still be exposed.
🎯 Exploit Status
LFI vulnerabilities are commonly exploited. Requires authenticated access to the Logpoint interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.4.0
Vendor Advisory: https://servicedesk.logpoint.com/hc/en-us/articles/18533986803741-Local-File-Inclusion-in-File-System-Collector
Restart Required: Yes
Instructions:
1. Backup current configuration and data. 2. Download Logpoint 7.4.0 from official sources. 3. Follow Logpoint upgrade documentation for your deployment type. 4. Verify upgrade completion and functionality.
🔧 Temporary Workarounds
Restrict File System Collector Access
allLimit which users can access or configure the File System Collector component.
# Configure role-based access control in Logpoint to restrict File System Collector permissions
File Permission Hardening
linuxSet strict file permissions on sensitive system files to limit what can be read even if LFI succeeds.
chmod 600 /etc/shadow
chmod 600 ~/.ssh/*
chmod 600 sensitive_config_files
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Logpoint systems from sensitive data stores.
- Deploy file integrity monitoring to detect unauthorized file access attempts.
🔍 How to Verify
Check if Vulnerable:
Check Logpoint version via web interface or command line. If version is below 7.4.0, system is vulnerable.Check Version:
Check Logpoint web interface dashboard or run: grep version /opt/logpoint/version.txtVerify Fix Applied:
Confirm version is 7.4.0 or higher and test File System Collector with path traversal attempts that should be blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual file path patterns in File System Collector logs
- Multiple failed LFI attempts in application logs
- Access to sensitive file paths in collector logs
Network Indicators:
- Unusual outbound connections from Logpoint server after LFI exploitation
SIEM Query:
source="logpoint" AND (path="*../*" OR path="*/etc/*" OR path="*/root/*")