CVE-2024-7603 – This vulnerability allows authenticated remote ... (How to Fix)

Q: What is the severity of CVE-2024-7603?

CVE-2024-7603 has a CVSS score of 8.1 (HIGH). This vulnerability allows authenticated remote attackers to delete arbitrary directories on Logsign Unified SecOps Platform installations. Attackers can leverage directory traversal in the HTTP API service to delete system directories with root privileges. Organizations running vulnerable Logsign versions are affected.

📋 TL;DR

This vulnerability allows authenticated remote attackers to delete arbitrary directories on Logsign Unified SecOps Platform installations. Attackers can leverage directory traversal in the HTTP API service to delete system directories with root privileges. Organizations running vulnerable Logsign versions are affected.

💻 Affected Systems

Products:

Logsign Unified SecOps Platform

Versions: Versions prior to 6.4.23

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: The HTTP API service runs on TCP port 443 by default. Authentication is required but could be bypassed through credential compromise.

📦 What is this software?

Unified Secops Platform by Logsign

View all CVEs affecting Unified Secops Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through deletion of critical system directories, leading to service disruption, data loss, and potential privilege escalation.

🟠

Likely Case

Targeted deletion of application directories causing service disruption, data loss, and potential foothold for further attacks.

🟢

If Mitigated

Limited impact if proper network segmentation and authentication controls prevent unauthorized access to the HTTP API.

🌐 Internet-Facing: HIGH - The HTTP API service listens on port 443 by default and requires only authentication, which could be compromised through credential theft or weak credentials.

🏢 Internal Only: HIGH - Even internally, authenticated users or compromised accounts could exploit this to cause significant damage.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authentication but uses simple directory traversal techniques. The vulnerability is documented in ZDI-24-1105 advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.4.23

Vendor Advisory: https://support.logsign.net/hc/en-us/articles/20617133769362-06-08-2024-Version-6-4-23-Release-Notes

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Download Logsign Unified SecOps Platform version 6.4.23 from official sources. 3. Follow vendor upgrade instructions for your deployment type. 4. Restart services after upgrade. 5. Verify the fix by testing directory traversal attempts.

🔧 Temporary Workarounds

Restrict HTTP API Access

linux

Limit network access to the HTTP API service to trusted IP addresses only

iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

Implement Strong Authentication Controls

all

Enforce multi-factor authentication and strong password policies for all API users

🧯 If You Can't Patch

Implement strict network segmentation to isolate Logsign platform from critical systems
Enable detailed logging and monitoring of all HTTP API directory operations

🔍 How to Verify

Check if Vulnerable:

Check Logsign version via web interface or command line. Versions below 6.4.23 are vulnerable.

Check Version:

Check web interface admin panel or run: cat /opt/logsign/version.txt

Verify Fix Applied:

After upgrading to 6.4.23, attempt directory traversal attacks against the HTTP API to confirm they are blocked.

📡 Detection & Monitoring

Log Indicators:

HTTP API requests containing '../' patterns
Failed directory deletion attempts
Unusual authentication patterns to API

Network Indicators:

HTTP POST requests to API endpoints with path traversal payloads
Multiple failed authentication attempts followed by successful login

SIEM Query:

source="logsign" AND (http_uri="*../*" OR http_body="*../*")

📊 Metadata

CVE ID: CVE-2024-7603

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-22

Published: August 21, 2024

Last Updated: August 23, 2024

🔗 References

https://support.logsign.net/hc/en-us/articles/20617133769362-06-08-2024-Version-6-4-23-Release-Notes Release Notes
https://www.zerodayinitiative.com/advisories/ZDI-24-1105/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-7603, you might also want to check these: