Logpoint Patches Critical SAML Authentication Flaw (CVE-2024-36383): Remote Attackers Could Delete Files

Logpoint has issued a security advisory for a critical vulnerability in its SAML Authentication module. This flaw, identified as CVE-2024-36383 and rated with a CVSS score of 9.1, could allow attackers to perform arbitrary file deletions through URL injection in the SAML Single Sign-On (SSO) URL response.

The vulnerability stems from the state parameter in the SAML SSO-URL response, which can be manipulated through URL injection. This manipulation allows an attacker to delete arbitrary files on the affected system. The flaw compromises the integrity and availability of the system, posing a significant security risk.

SAML Authentication enables users to log into Logpoint using SAML Identity Providers (IdPs), including the ability to implement Azure Active Directory multi-factor authentication. The arbitrary file deletion vulnerability could disrupt user access and system operations, leading to potential security breaches.

While Logpoint has not disclosed any evidence of this vulnerability being exploited in the wild, the potential consequences are severe. An attacker could:

• Disrupt Service: Delete critical log files or configuration data, hindering the ability of Logpoint to monitor and analyze security events.
• Compromise Data: Delete sensitive logs, reports, or customer data stored on the Logpoint server.
• Gain Unauthorized Access: If configuration files are deleted, attackers could potentially exploit the resulting instability to gain further access to the system.

Logpoint urges all customers using SAML Authentication v6.0.2 to immediately upgrade to version 6.0.3, which contains the fix for the CVE-2024-36383 vulnerability. The upgrade process is straightforward and can be performed through the Logpoint management interface.

Additionally, organizations using SAML Authentication should review their logs for any suspicious activity related to SAML logins or file deletions.