Getting Unauthenticated Remote Code Execution on the Logsign Unified SecOps Platform

- ZDI acquired several vulnerabilities in Logsign Unified SecOps Platform from Mehmet INCE. - CVE-2024-5716 allows for authentication bypass by brute-forcing the password reset code for the "admin" user. - This vulnerability stems from a lack of rate-limiting for password reset requests. - CVE-2024-5717 allows for post-authentication command injection due to improper validation of user-supplied input for system calls. - The command injection vulnerability can be exploited using backticks. - Despite being post-authentication, CVE-2024-5717 can be combined with CVE-2024-5716 to achieve remote, unauthenticated code execution. - An exploit combining both vulnerabilities can be used to obtain a reverse shell. - Logsign patched these vulnerabilities with version 6.4.8. - The authentication bypass vulnerability highlights the risks of implementing custom authentication mechanisms. - Vendors should regularly audit their software to address potential vulnerabilities. - Stay vigilant and don't be complacent with authentication as a sole defense measure.