Graylog is a widely used, free, and open source log management platform. However, a vulnerability has been discovered in versions 4.3. through 5.1.11 and 5.2.4, where reauthenticating with an existing session cookie might lead to session id reuse, even if the user credentials are different. This vulnerability, identified as CVE-2024-24823, could be potentially exploited by a malicious user to gain elevated access to an existing Graylog login session by injecting their session cookie into someone else's browser. This article will provide an overview of the exploit details, links to original references, and possible workarounds to minimize the attack surface.
Exploit Details
Although the complexity of CVE-2024-24823 is high, its potential impact is significant. To execute a successful attack, the malicious user would need to present a spoofed login screen and inject a session cookie into an existing browser, possibly through a cross-site scripting attack. It is important to note that no such attack has been discovered so far.
The following code snippet demonstrates how the session ID reuse could be exploited
import requests
# Spoof the Graylog login screen
def spoof_login_screen():
# code to present a spoofed login screen
pass
# Inject session cookie into the target's browser
def inject_session_cookie(cookies):
# code to inject session cookie
pass
# Obtain valid session cookie and inject into the target's browser
def exploit_graylog(url, username, password):
spoof_login_screen()
response = requests.post(url + "/api/system/sessions",
data={"username": username, "password": password})
if response.status_code == 200:
cookies = response.cookies
inject_session_cookie(cookies)
Original References
- Graylog Security Advisory
- National Vulnerability Database
Mitigation Methods
Graylog has released patches for this vulnerability in versions 5.1.11, 5.2.4, and any versions of the 6. development branch. To minimize the attack surface, it is strongly recommended that users update their Graylog installation to the patched versions.
However, if immediate patching is not possible, the following workarounds may help minimize the attack vector:
Use short session expiration times and ensure explicit logouts for unused sessions.
2. Implement a proxy to clear the authentication cookie for the Graylog server URL for the /api/system/sessions endpoint, as it is the only vulnerable point.
For example, the following code snippet can be used to create a proxy server in Python
from http.server import HTTPServer, BaseHTTPRequestHandler
class ProxyHTTPRequestHandler(BaseHTTPRequestHandler):
proxy_url = "http://graylog.example.com:900";
def clear_authentication_cookie(self, path):
if path == "/api/system/sessions":
self.send_header("Set-Cookie", "authentication=; path=/; expires=Thu, 01 Jan 197 00:00:00 GMT")
def do_GET(self):
# Forward the request, retrieve the response and clear the authentication cookie if necessary
pass
def do_POST(self):
# Forward the request, retrieve the response and clear the authentication cookie if necessary
pass
if __name__ == "__main__":
httpd = HTTPServer(("", 808), ProxyHTTPRequestHandler)
httpd.serve_forever()
Conclusion
While CVE-2024-24823 is a relatively hard-to-exploit vulnerability in Graylog, it is crucial to be aware of its potential risks. Applying the available patches and implementing the suggested workarounds can help secure your Graylog installation and minimize the chances of a security breach. Regularly checking for updates and security advisories is also advisable as part of ongoing security measures.
Timeline
Published on: 02/07/2024 18:15:54 UTC
Last modified on: 02/15/2024 15:41:48 UTC