CVE-2024-48951
📋 TL;DR
A Server-Side Request Forgery (SSRF) vulnerability in Logpoint SOAR allows attackers to make the server send requests to internal systems, potentially leaking the Logpoint API token. This token leak can lead to authentication bypass, granting unauthorized access to the Logpoint platform. All Logpoint installations before version 7.5.0 are affected.
💻 Affected Systems
- Logpoint SOAR
📦 What is this software?
Siem by Logpoint
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative access to Logpoint, allowing them to exfiltrate sensitive security data, manipulate security configurations, disable monitoring, and pivot to other internal systems using Logpoint's privileged access.
Likely Case
Attackers obtain API tokens and use them to access Logpoint's API, potentially viewing security alerts, modifying automation rules, or accessing connected systems through Logpoint integrations.
If Mitigated
With proper network segmentation and API token monitoring, impact is limited to the Logpoint system itself without allowing lateral movement to other critical systems.
🎯 Exploit Status
SSRF vulnerabilities are commonly exploited and Logpoint's advisory suggests the attack chain is straightforward once initial access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.5.0
Vendor Advisory: https://servicedesk.logpoint.com/hc/en-us/articles/21968916591261-Server-Side-Request-Forgery-SSRF-on-SOAR-results-in-authentication-bypass
Restart Required: Yes
Instructions:
1. Backup Logpoint configuration and data. 2. Download Logpoint 7.5.0 from official sources. 3. Follow Logpoint upgrade documentation for your deployment type. 4. Restart Logpoint services after upgrade. 5. Verify API tokens have not been compromised and rotate if necessary.
🔧 Temporary Workarounds
Network Segmentation
linuxRestrict Logpoint SOAR component's outbound network access to only necessary external services
iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
iptables -A OUTPUT -j DROP
API Token Monitoring
allImplement monitoring for unusual API token usage patterns
🧯 If You Can't Patch
- Implement strict network controls to prevent Logpoint SOAR from accessing internal metadata services or sensitive endpoints
- Regularly rotate API tokens and monitor for unauthorized token usage
🔍 How to Verify
Check if Vulnerable:
Check Logpoint version via web interface or command line. Versions below 7.5.0 are vulnerable.Check Version:
cat /opt/logpoint/version.txtVerify Fix Applied:
Confirm version is 7.5.0 or higher and test that SSRF attempts to internal endpoints are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound requests from Logpoint SOAR to internal endpoints
- Multiple failed authentication attempts followed by successful API token usage
- API token usage from unexpected IP addresses
Network Indicators:
- Logpoint SOAR making requests to internal metadata services (169.254.169.254, 192.168.0.1, etc.)
- Unexpected outbound connections from Logpoint to internal systems
SIEM Query:
source="logpoint" AND (url="*169.254.169.254*" OR url="*metadata*" OR url="*localhost*" OR url="*127.0.0.1*")