CVE-2024-56084
📋 TL;DR
Authenticated users in Logpoint UniversalNormalizer can inject malicious payloads while creating Universal Normalizer configurations, leading to remote code execution on the server. This affects all Logpoint deployments running versions before 5.7.0 where users have authenticated access to create normalizers.
💻 Affected Systems
- Logpoint UniversalNormalizer
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary commands with the privileges of the Logpoint service account, potentially leading to data exfiltration, lateral movement, or complete system takeover.
Likely Case
Attackers with authenticated access (including compromised accounts) execute commands to establish persistence, steal sensitive data, or deploy ransomware.
If Mitigated
Limited impact with proper network segmentation, minimal user privileges, and monitoring preventing successful exploitation.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained. The CWE-77 (Command Injection) suggests simple payload injection.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.7.0
Vendor Advisory: https://servicedesk.logpoint.com/hc/en-us/articles/22137632418845-Remote-Code-Execution-while-creating-Universal-Normalizer
Restart Required: Yes
Instructions:
1. Backup Logpoint configuration and data. 2. Upgrade to Logpoint UniversalNormalizer version 5.7.0 or later. 3. Restart Logpoint services. 4. Verify normalizer functionality post-upgrade.
🔧 Temporary Workarounds
Restrict Normalizer Creation
allLimit user permissions to prevent creation of Universal Normalizers for non-admin users.
Configure Logpoint role-based access control to remove 'Create Normalizer' permissions from standard users
Network Segmentation
allIsolate Logpoint management interface from general user networks.
Configure firewall rules to restrict access to Logpoint management interface to authorized admin networks only
🧯 If You Can't Patch
- Implement strict access controls allowing only necessary users to create normalizers
- Monitor and audit all normalizer creation activities for suspicious patterns
🔍 How to Verify
Check if Vulnerable:
Check Logpoint version via admin interface or command: 'lpadmin --version' and verify if below 5.7.0Check Version:
lpadmin --versionVerify Fix Applied:
Confirm version is 5.7.0 or higher and test normalizer creation functionality📡 Detection & Monitoring
Log Indicators:
- Unusual normalizer creation events
- Suspicious command execution in Logpoint logs
- Multiple failed authentication attempts followed by normalizer creation
Network Indicators:
- Unexpected outbound connections from Logpoint server
- Unusual traffic patterns to/from Logpoint management interface
SIEM Query:
source="logpoint" AND (event_type="normalizer_creation" AND user NOT IN ["admin_users"]) OR (process_execution AND parent_process="logpoint")