Graylog is a widely used, free, and open source log management platform. However, a vulnerability has been discovered in versions 4.3. through 5.1.11 and 5.2.4, where reauthenticating with an existing session cookie might lead to session id reuse, even if the user credentials are different. This vulnerability, identified as CVE-2024-24823, could be potentially exploited by a malicious user to gain elevated access to an existing Graylog login session by injecting their session cookie into someone else's browser. This article will provide an overview of the exploit details, links to original references, and possible workarounds to minimize the attack surface.

Exploit Details

Although the complexity of CVE-2024-24823 is high, its potential impact is significant. To execute a successful attack, the malicious user would need to present a spoofed login screen and inject a session cookie into an existing browser, possibly through a cross-site scripting attack. It is important to note that no such attack has been discovered so far.

The following code snippet demonstrates how the session ID reuse could be exploited

import requests

# Spoof the Graylog login screen
def spoof_login_screen():
    # code to present a spoofed login screen
    pass

# Inject session cookie into the target's browser
def inject_session_cookie(cookies):
    # code to inject session cookie
    pass

# Obtain valid session cookie and inject into the target's browser
def exploit_graylog(url, username, password):
    spoof_login_screen()

    response = requests.post(url + "/api/system/sessions", 
                             data={"username": username, "password": password})
    
    if response.status_code == 200:
        cookies = response.cookies
        inject_session_cookie(cookies)

Original References

- Graylog Security Advisory
- National Vulnerability Database

Mitigation Methods

Graylog has released patches for this vulnerability in versions 5.1.11, 5.2.4, and any versions of the 6. development branch. To minimize the attack surface, it is strongly recommended that users update their Graylog installation to the patched versions.

However, if immediate patching is not possible, the following workarounds may help minimize the attack vector:

Use short session expiration times and ensure explicit logouts for unused sessions.

2. Implement a proxy to clear the authentication cookie for the Graylog server URL for the /api/system/sessions endpoint, as it is the only vulnerable point.

For example, the following code snippet can be used to create a proxy server in Python

from http.server import HTTPServer, BaseHTTPRequestHandler

class ProxyHTTPRequestHandler(BaseHTTPRequestHandler):
    proxy_url = "http://graylog.example.com:900";

    def clear_authentication_cookie(self, path):
        if path == "/api/system/sessions":
            self.send_header("Set-Cookie", "authentication=; path=/; expires=Thu, 01 Jan 197 00:00:00 GMT")

    def do_GET(self):
        # Forward the request, retrieve the response and clear the authentication cookie if necessary
        pass

    def do_POST(self):
        # Forward the request, retrieve the response and clear the authentication cookie if necessary
        pass

if __name__ == "__main__":
    httpd = HTTPServer(("", 808), ProxyHTTPRequestHandler)
    httpd.serve_forever()

Conclusion

While CVE-2024-24823 is a relatively hard-to-exploit vulnerability in Graylog, it is crucial to be aware of its potential risks. Applying the available patches and implementing the suggested workarounds can help secure your Graylog installation and minimize the chances of a security breach. Regularly checking for updates and security advisories is also advisable as part of ongoing security measures.

Timeline

Published on: 02/07/2024 18:15:54 UTC
Last modified on: 02/15/2024 15:41:48 UTC