Critical Security Vulnerability Discovered in ScienceLogic SL1 Portal: What You Need to Know

In an alarming development for organizations relying on the ScienceLogic SL1 Portal (formerly known as EM7), a critical security vulnerability has been identified and exploited as a zero-day by attackers. The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability, designated as CVE-2024-9537, to its Known Exploited Vulnerabilities (KEV) Catalog, highlighting the urgency for organizations to address this issue.

What Happened? Details of the Rackspace Zero-Day Attack

In late September 2024, Rackspace disclosed a significant breach involving a zero-day vulnerability that affected a third-party component integrated with the ScienceLogic EM7 Portal. This flaw allowed attackers to gain unauthorized access to three internal Rackspace monitoring servers, leading to Remote Code Execution (RCE) and the exposure of certain internal data.

While customer performance monitoring services remained unaffected, the attackers accessed limited information, including customer account names, usernames, device details, and encrypted internal credentials. Rackspace emphasized that no other products or services were impacted by this breach.

Upon discovering the vulnerability, Rackspace promptly took the compromised servers offline and collaborated with ScienceLogic to develop and deploy a patch. Customers were informed of the situation, with assurances that no immediate action was required on their part. As an additional precaution, Rackspace initiated the rotation of internal credentials to bolster security.

Details of the ScienceLogic SL1 Vulnerability: What is CVE-2024-9537?

CVE-2024-9537 is classified as a high-severity vulnerability, with a CVSS score of 9.3. It affects the ScienceLogic SL1 platform, which is integral for performance monitoring in various organizations. The vulnerability arises from a flaw in a third-party component integrated within the platform, enabling Remote Code Execution (RCE). If exploited, attackers could potentially gain full control over vulnerable systems by executing malicious code remotely.

The vulnerability became a pressing concern after it was exploited to target Rackspace’s internal monitoring systems, which utilize ScienceLogic’s technology for performance tracking. The flaw lies in the handling of certain communications within the third-party component, allowing attackers to bypass security measures and relay malicious commands.

CISA Urges Patching Against CVE-2024-9537, Adds it to the KEV Catalog

In response to the discovery of CVE-2024-9537, CISA has officially added it to its Known Exploited Vulnerabilities (KEV) Catalog, emphasizing the critical need for organizations using the ScienceLogic SL1 platform to apply available patches immediately. This directive is particularly crucial for Federal Civilian Executive Branch (FCEB) agencies, which are mandated to implement the fix by November 11, 2024.

Fixed Versions of ScienceLogic SL1

Although the specific third-party utility involved in the vulnerability has not been publicly disclosed, Rackspace and ScienceLogic have worked together to deliver patches across affected versions. The vulnerability has been resolved in the following versions of ScienceLogic SL1:

• 12.1.3
• 12.2.3
• 12.3 and later versions

Additionally, fixes have been made available for earlier releases, including:

• 10.1.x
• 10.2.x
• 11.1.x
• 11.2.x
• 11.3.x

Organizations running outdated versions of SL1 are strongly advised to update to these fixed releases to prevent potential exploitation. The updates address the vulnerability within the third-party component that had been bundled with the platform, effectively closing the door to potential attacks exploiting this flaw.

Access Real-Time Vulnerability Intelligence with SOCRadar

In the face of escalating cyber threats, staying ahead of vulnerabilities is critical for safeguarding your business. Without real-time insights, organizations risk exposure to dangerous exploits.

SOCRadar’s Vulnerability Intelligence module offers a robust solution for monitoring, identifying, and prioritizing vulnerabilities across your IT infrastructure. It provides actionable insights on newly discovered vulnerabilities, known exploits, and emerging threats, enabling organizations to stay ahead of attackers.

By integrating SOCRadar’s Vulnerability Intelligence into your security strategy, you gain real-time alerts and in-depth analyses that allow you to address the most critical risks before they can be exploited.

Conclusion

The discovery of CVE-2024-9537 in the ScienceLogic SL1 Portal serves as a stark reminder of the vulnerabilities that can exist within third-party components of widely used software. Organizations must act swiftly to patch their systems and protect their data from potential exploitation. By staying informed and proactive, businesses can better safeguard their operations against the ever-evolving landscape of cyber threats.