Logsign Unified SecOps Platform 目录遍历任意文件删除漏洞

该目录遍历漏洞允许攻击者利用HTTP API服务，通过构造恶意请求，访问并删除服务器上的任意文件。由于攻击者需要身份验证才能利用此漏洞，因此需要先获取有效的凭据。成功利用该漏洞可能导致敏感数据泄露、系统配置被破坏，甚至可能导致系统崩溃。攻击者可以利用此漏洞删除关键日志文件，从而掩盖其踪迹，或删除配置文件，破坏系统正常运行。该漏洞的潜在影响范围取决于服务器上存储的数据类型和重要性。

Organizations heavily reliant on Logsign Unified SecOps Platform for security monitoring and incident response are particularly at risk. This includes organizations with limited security resources or those using older, unpatched installations of the platform. Shared hosting environments where multiple users share the same Logsign instance are also at increased risk, as a compromised user account could be leveraged to exploit this vulnerability.

• linux / server: Monitor system logs (e.g., /var/log/syslog, /var/log/auth.log) for suspicious file deletion attempts, particularly those originating from external sources. Use auditd to track file access and modification events.

auditctl -w / -p wa -k logsign_file_deletion

• generic web: Examine access and error logs for unusual HTTP requests containing path traversal sequences (e.g., ../).

grep -i 'path=../' /var/log/apache2/access.log

1. 2024-08-21Disclosure

   disclosure

1. 已保留2024-08-08
2. 发布日期2024-08-21
3. EPSS 更新日期2026-04-02

最有效的缓解措施是立即升级Logsign Unified SecOps Platform至6.4.23版本或更高版本。如果无法立即升级，可以考虑以下临时缓解措施：限制对HTTP API服务的访问，仅允许授权用户访问；实施严格的身份验证和访问控制策略，防止未经授权的访问；监控系统日志，检测可疑的文件删除活动；如果可能，配置WAF（Web Application Firewall）以阻止恶意请求。升级后，请验证文件系统完整性，确认关键文件未被删除或篡改。