CVE-2024-48953
📋 TL;DR
This vulnerability allows unauthenticated attackers to register custom authentication plugins in Logpoint, bypassing normal authentication mechanisms. Any Logpoint deployment before version 7.5.0 is affected, potentially allowing unauthorized access to the security information and event management (SIEM) system.
💻 Affected Systems
- Logpoint SIEM
📦 What is this software?
Siem by Logpoint
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Logpoint SIEM system, allowing attackers to create persistent backdoor authentication methods, access sensitive security data, and potentially pivot to other systems.
Likely Case
Unauthorized access to Logpoint with ability to view security logs, modify configurations, and potentially escalate privileges within the SIEM environment.
If Mitigated
Limited impact with proper network segmentation and authentication controls, though the vulnerability still presents a significant security risk.
🎯 Exploit Status
The vulnerability requires no authentication and involves simple HTTP requests to specific endpoints, making exploitation straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.5.0
Vendor Advisory: https://servicedesk.logpoint.com/hc/en-us/articles/21968899128221-Authentication-Bypass-using-URL-endpoints-in-the-Authentication-Modules
Restart Required: Yes
Instructions:
1. Backup current Logpoint configuration. 2. Upgrade to Logpoint version 7.5.0 or later. 3. Restart Logpoint services. 4. Verify authentication endpoints are properly secured.
🔧 Temporary Workarounds
Network Access Control
linuxRestrict access to Logpoint authentication endpoints using firewall rules or network segmentation.
iptables -A INPUT -p tcp --dport [LOGPOINT_PORT] -s [TRUSTED_NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [LOGPOINT_PORT] -j DROP
Web Application Firewall
allImplement WAF rules to block unauthorized requests to authentication module endpoints.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Logpoint from untrusted networks
- Deploy additional authentication layers (2FA, IP whitelisting) for Logpoint access
🔍 How to Verify
Check if Vulnerable:
Check Logpoint version via web interface or command line. If version is below 7.5.0, the system is vulnerable.Check Version:
logpoint-cli --versionVerify Fix Applied:
After upgrading to 7.5.0+, verify that unauthenticated requests to authentication module endpoints return proper authorization errors.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to /api/auth/modules endpoints
- Unusual authentication plugin registration events
- Failed authorization checks for authentication operations
Network Indicators:
- HTTP POST/PUT requests to authentication endpoints from unauthorized sources
- Unusual traffic patterns to authentication module URLs
SIEM Query:
source="logpoint" AND (url_path="/api/auth/modules" OR event_type="auth_module_operation") AND user="anonymous"