CVE-2024-7600
📋 TL;DR
This vulnerability allows authenticated remote attackers to delete arbitrary files on Logsign Unified SecOps Platform installations. Attackers can exploit a directory traversal flaw in the HTTP API service to delete files with root privileges. Organizations running vulnerable versions of Logsign Unified SecOps Platform are affected.
💻 Affected Systems
- Logsign Unified SecOps Platform
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via deletion of critical system files, configuration files, or security logs, potentially leading to service disruption, data loss, or further privilege escalation.
Likely Case
Targeted deletion of specific files to disrupt security monitoring, cover tracks of other attacks, or delete configuration files to weaken security posture.
If Mitigated
Limited impact if proper network segmentation, authentication controls, and file permission restrictions are in place, though file deletion could still occur.
🎯 Exploit Status
Exploitation requires valid credentials but uses simple directory traversal techniques. ZDI has published advisory details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.4.23
Vendor Advisory: https://support.logsign.net/hc/en-us/articles/20617133769362-06-08-2024-Version-6-4-23-Release-Notes
Restart Required: Yes
Instructions:
1. Backup current configuration and data. 2. Download version 6.4.23 from Logsign support portal. 3. Follow Logsign upgrade documentation for your deployment type. 4. Restart services after upgrade completion.
🔧 Temporary Workarounds
Restrict API Access
linuxLimit network access to the HTTP API service (port 443) to trusted IP addresses only using firewall rules.
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Implement Strong Authentication
allEnforce multi-factor authentication and strong password policies for all Logsign user accounts.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Logsign platform from other critical systems
- Enable detailed audit logging for all file deletion operations and monitor for suspicious patterns
🔍 How to Verify
Check if Vulnerable:
Check Logsign web interface or configuration files for version number. Versions below 6.4.23 are vulnerable.Check Version:
Check web interface at https://<logsign-ip>/admin or examine /opt/logsign/version.txtVerify Fix Applied:
Verify version shows 6.4.23 or higher in administration interface and test that directory traversal attempts are properly blocked.📡 Detection & Monitoring
Log Indicators:
- HTTP API requests containing '../' sequences
- Unexpected file deletion events in system logs
- Failed authentication attempts followed by API calls
Network Indicators:
- HTTP POST requests to API endpoints with path traversal payloads
- Unusual patterns of file deletion API calls
SIEM Query:
source="logsign" AND (http_uri="*../*" OR action="delete" AND result="success")