Pierluigi Paganini October 22, 2024

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds ScienceLogic SL1 flaw to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the ScienceLogic SL1 flaw CVE-2024-9537 (CVSS v4 score: 9.3) to its Known Exploited Vulnerabilities (KEV) catalog.

ScienceLogic SL1 contains a vulnerability related to a third-party component. It has been fixed in versions 12.1.3+, 12.2.3+, and 12.3+, with patches available for older versions back to 10.1.x.

“ScienceLogic SL1 (formerly EM7) is affected by an unspecified vulnerability involving an unspecified third-party component packaged with SL1. The vulnerability is addressed in SL1 versions 12.1.3+, 12.2.3+, and 12.3+.” reads the advisory. “Remediations have been made available for all SL1 versions back to version lines 10.1.x, 10.2.x, 11.1.x, 11.2.x, and 11.3.x.”

On September 24, 2024, cloud hosting provider Rackspace reported an issue with its ScienceLogic EM7 monitoring tool. A threat actor exploited a zero-day vulnerability in a non-Rackspace utility bundled with the ScienceLogic application. The security breach exposed low-sensitivity performance monitoring data, including customer usernames, account info, and encrypted internal credentials. Rackspace helped ScienceLogic address this issue. The patch is now available to all customers, and the company notified the impacted customers.

“During Rackspace and ScienceLogic’s collaboration to develop a remediation, it was discovered that the undocumented zero-day vulnerability was a remote code execution flaw in a third-party utility not developed by ScienceLogic, but included with the SL1 package.” reads the report published by ArticWolf. “ScienceLogic has also chosen not to disclose the name of the third-party utility to avoid giving potential threat actors any insights, noting that the utility may be used in other products as well. “

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by November 11, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)