5.3 CVE-2024-52962
An Improper Output Neutralization for Logs vulnerability [CWE-117] in FortiAnalyzer version 7.6.1 and below, version 7.4.5 and below, version 7.2.8 and below, version 7.0.13 and below and FortiManager version 7.6.1 and below, version 7.4.5 and below, version 7.2.8 and below, version 7.0.12 and below may allow an unauthenticated remote attacker to pollute the logs via crafted login requests.
https://nvd.nist.gov/vuln/detail/CVE-2024-52962
Categories
CWE-117 : Improper Output Neutralization for Logs
The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file. An attack-oriented term that could be used in cases in which the adversary can add additional log entries or modify how a log entry is parsed. Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. Chain: inject fake log entries with fake timestamps using CRLF injection
References
CPE
| cpe |
start |
end |
| Configuration 1 |
| cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:* |
>= 7.0.0 |
< 7.0.14 |
| cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:* |
>= 7.2.0 |
< 7.2.9 |
| cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:* |
>= 7.4.0 |
< 7.4.6 |
| cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:* |
>= 7.6.0 |
< 7.6.2 |
| Configuration 2 |
| cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:* |
>= 7.0.0 |
< 7.0.14 |
| cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:* |
>= 7.2.0 |
< 7.2.9 |
| cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:* |
>= 7.4.0 |
< 7.4.6 |
| cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:* |
>= 7.6.0 |
< 7.6.2 |
REMEDIATION
EXPLOITS
Exploit-db.com
| id |
description |
date |
|
| No known exploits |
POC Github
Other Nist (github, ...)
CAPEC
Common Attack Pattern Enumerations and Classifications
| id |
description |
severity |
| 268 |
Audit Log Manipulation
The attacker injects, manipulates, deletes, or forges malicious log entries into the log file, in an attempt to mislead an audit of the log file or cover tracks of an attack. Due to either insufficient access controls of the log files or the logging mechanism, the attacker is able to perform such actions. |
|
| 81 |
Web Server Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application. [Determine Application Web Server Log File Format] The attacker observes the system and looks for indicators of which logging utility is being used by the web server. [Determine Injectable Content] The attacker launches various logged actions with malicious data to determine what sort of log injection is possible. [Manipulate Log Files] The attacker alters the log contents either directly through manipulation or forging or indirectly through injection of specially crafted request that the web server will receive and write into the logs. This type of attack typically follows another attack and is used to try to cover the traces of the previous attack. |
High |
| 93 |
Log Injection-Tampering-Forging
This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing them to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability. [Determine Application's Log File Format] The first step is exploratory meaning the attacker observes the system. The attacker looks for action and data that are likely to be logged. The attacker may be familiar with the log format of the system. [Manipulate Log Files] The attacker alters the log contents either directly through manipulation or forging or indirectly through injection of specially crafted input that the target software will write to the logs. This type of attack typically follows another attack and is used to try to cover the traces of the previous attack. |
High |
MITRE
Techniques
| id |
description |
| T1070 |
Indicator Removal on Host |
| T1562.002 |
Impair Defenses: Disable Windows Event Logging |
| T1562.003 |
Impair Defenses:Impair Command History Logging |
| T1562.008 |
Impair Defenses: Disable Cloud Logs |
| © 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. |
Mitigations
| id |
description |
| M1022 |
Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. |
| M1018 |
Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with logging. |
| M1028 |
Make sure that the <code>HISTCONTROL</code> environment variable is set to “ignoredups” instead of “ignoreboth” or “ignorespace”. |
| M1018 |
Configure default account policy to enable logging. Manage policies to ensure only necessary users have permissions to make changes to logging policies. |
| © 2022 The MITRE Corporation. Esta obra se reproduce y distribuye con el permiso de The MITRE Corporation. |
Cybersecurity needs ?
Strengthen software security from the outset with our DevSecOps expertise
Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.
Discover this offer
