cbcvebase.
CVE-2024-5721
published 2024-11-22

CVE-2024-5721: Logsign Unified SecOps Platform Missing Authentication Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary…

PriorityP273high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
5.83%
92.2th percentile
Logsign Unified SecOps Platform Missing Authentication Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Logsign Unified SecOps Platform. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the cluster HTTP API, which listens on TCP port 1924 when enabled. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-24169.

Affected

2 ranges
VendorProductVersion rangeFixed in
logsignunified_secops_platform
logsignunified_secops_platform>= 6.4.6 < 6.4.86.4.8

Detection & IOCsextracted from sources · hover to see the quote

port1924
version4.4.2
version4.4.137
  • Monitor for unauthenticated inbound connections to TCP port 1924 on Logsign Unified SecOps Platform hosts; any external access to this port is anomalous and indicative of exploitation attempts.
  • Alert on processes spawned as root originating from the Logsign cluster HTTP API service, particularly shell or interpreter processes, as the vulnerability allows code execution in the context of root.
  • Inspect HTTP requests to the Logsign cluster API endpoint for OS command injection patterns in user-supplied input fields; the endpoint passes user input directly to OS command execution without validation.
  • Flag any unauthenticated access to the Logsign cluster HTTP API endpoint; the vulnerability requires no authentication to exploit.
  • ·The vulnerable cluster HTTP API on TCP port 1924 is only exposed when the cluster feature is enabled; verify whether this feature is active in your deployment before assuming exposure.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.