Chaining 6 Vulnerabilities in LogPoint SIEM/SOAR: A Pre‑Authenticated Remote Code Execution Exploit

## 1. Introduction In May 2024 I began a formal review of LogPoint’s SIEM/SOAR core as a part of a broader due‑diligence exercise. With the typical 24‑hour “stress‑test” timeline, I immediately identified three critical vulnerabilities that could allow an attacker to bypass authentication entirely. After responsible disclosure, I returned months later to map the full attack surface, discovering that six seemingly harmless bugs could be chained into a pre‑authenticated RCE. The following article details that journey, focusing on technical accuracy, attacker reasoning, and the logical progression that turns isolated bugs into a single destructive vector. ## 2. Architecture Overview LogPoint’s platform is split between legacy host‑based services (Python/Flask, MongoDB, OS‑level utilities) and new SOAR micro‑services (Java, Docker). Two Nginx layers form the outer perimeter: 1. **Edge Nginx** – Listens on ports 80/443 and proxies `https://localhost:9443/` for any path beginning with `/soar/`. 2. **Inner Nginx (in the Docker network)** – Distributes traffic to several containers: `api-service`, `scheduler`, `notifications`, `user‑management`, and an internal Elasticsearch instance. The lack of hardening between the host and the containers allows any internal request to reach a full‑blown container network from an externally authenticated user. ## 3. The Vulnerability Chain Below is a concise mapping of each identified bug and how one feeds into the next. | Step | Bug | Impact | How It Exposes the Next Step | |------|-----|--------|------------------------------| | 1 | **Nginx Path Re‑routing** | Unprotected internal endpoints become reachable via URL manipulation. | Provides a direct path from the external network to a REST API that should be internal. | 2 | **Hard‑coded JWT Secret** | Ability to forge `secbi_auth_token` for any user. | Grants access to Java micro‑services’ privileged API, yielding an admin API key. | 3 | **SOAR User Escalation** | Leverages the API key to query `/user/apikey`, revealing the internal `secbi` account. | Enables authenticated communication with the legacy Python backend. | 4 | **SSRF to Python API** | The `private/user_access_key` endpoint returns the admin’s secret key. | Allows the attacker to stage an admin session in the Python layer. | 5 | **Python Code‑Eval Sink** | `_Condition.evaluate()` blindly executes `eval()` on a user‑supplied value in a rule engine. | Provides the only execution point that can be controlled via rule data. | 6 | **Static AES Key & Rule Import** | Imported alert rules are decrypted with a fixed key; no validation after decryption. | Lets an attacker inject arbitrary `eval()` payloads into an otherwise validated rule field. | ### 3.1 Bug 1 – Nginx Path Misconfiguration The first Nginx on the host exposed any `/soar/*` path to the internal Docker cluster without authentication checks. A simple `GET /soar/sso/v1/login` request reached an endpoint that should only be called by container services, exposing credentials that would normally be hidden. ### 3.2 Bug 2 – Hard‑coded JWT Secret In the Java micro‑services, the class `JWTLoginAuthorizationManager` contains ```java private static final String JWT_ENCODED_SECRET = "WW4wWVRGQVdid0ZsTDhXWFNUQXJDQ0JWVEdzPQ=="; ``` The Base64 string decodes to a constant key used by all JWT verification logic. An attacker can forge a valid token with any `username` and `role`, bypassing every service that relies on `secbi_auth_token`. ### 3.3 Bug 3 – Elevating to the Internal `secbi` Account Using a forged JWT, the attacker authenticates to the `/sso/v1/user/auth/apikey` endpoint and retrieves an API key belonging to the privileged `secbi` account. This key is accepted by all subsequent SOAR APIs, allowing cross‑service calls that were originally scoped to the user context. ### 3.4 Bug 4 – SSRF Exploit in the Python Backend From the container, an SSRF path was discovered: `/private/user_access_key`. It returns the admin's database `secret_key`, something that **must not** be exposed. The attacker used this key to call the legacy Python endpoint `/initapp`, which accepts a JSON payload with `user: 'admin'` and `secret: `. Successful authentication yields a session cookie for the admin user. ### 3.5 Bug 5 – Code‑Evaluation Sink in the Alert Engine The Python rule engine contains the class `_Condition`: ```python class _Condition: @classmethod def evaluate(cls, left, right, operator): if operator in ('<', '>', '<=', '>=', '==', '!='): return eval(str(left) + str(operator) + str(right)) ``` The `right` operand comes directly from a rule’s `trigger_value` field, which is **never validated** before use. As a result, an attacker can inject an arbitrary `eval()` expression into this field. ### 3.6 Bug 6 – Static AES Key in Rule Import When a user imports an alert PAK file, the platform decrypts it using a secret key derived from a hard‑coded string (`FLASK_APP_ENCRYPTION_KEY = 'ImmUnEsEcUrIty'`). The decrypted rule data is stored without re‑validation. By creating a custom PAK file that contains the same `eval()` payload used in Bug 5, a rule can be imported and later executed by the engine. ### 3.7 Final Exploit Flow 1. **Route to internal** – external request to `/soar/sso/v1/login` exposed by Bug 1. 2. **Forge token** – produce a JWT using the hard‑coded secret from Bug 2. 3. **Elevate to admin** – fetch API keys via `/sso/v1/user/auth/apikey` (Bug 3). 4. **SSRF for admin key** – obtain the admin secret via `/private/user_access_key` (Bug 4). 5. **Create admin session** – POST to `/initapp` with the secret (Bug 4, continued). 6. **Import malicious rule** – craft and upload a PAK file that contains an `eval()` expression, using the static AES key to decrypt (Bug 6). 7. **Trigger rule** – cause the engine to evaluate the rule; the `eval()` payload is executed, delivering a reverse shell. ## 4. Disclosure Timeline | Date | Event | |------|-------| | 30‑05‑2024 11:00 BST | Initial notification to LogPoint support (no ticket creation possible). | | 30‑05‑2024 15:01 BST | LinkedIn InMail outreach to LogPoint executives. | | 30‑05‑2024 17:28 BST | Executive reply; start of correspondence. | | 30‑05‑2024 22:18 BST | Confirmation that LogPoint has started remediation. | | 10‑06‑2024 12:03 BST | Vendor confirms active work on a fix. | | 22‑07‑2024 13:03 BST | Additional eight critical vulnerabilities published. | | 3‑10‑2024 | Vendor releases patches (v7.5.0). | | 14‑01‑2025 | Public blog post announcing patch release. | | 02‑01‑2026 | Decision to delay full technical write‑up due to vendor communication gaps. | The CVE assignments reflect a range of severity levels, with the principal RCE bugs rated **High**. ## 5. Lessons Learned 1. **Never rely on path‑based access controls** – HTTP proxies that ignore user authentication can expose entire internal services. 2. **Hard‑coded encryption keys are a single point of failure** – they can be reverse‑engineered from a binary or decompiled code. 3. **Cross‑service authentication should be explicit** – shared secrets or JWTs must be validated against a secure, rotate‑able key store, not a static string. 4. **SSRF is a powerful pivot point** – internal services that communicate over HTTP should enforce strict whitelisting of target hosts. 5. **Every deserialization or decryption operation should be followed by validation** – “trust after decrypt” is a recipe for remote code execution. ## 6. Conclusion The LogPoint SIEM/SOAR case demonstrates how a chain of small, overlooked bugs can combine into a complete pre‑authenticated remote code execution vector. The experience underscores the importance of holistic threat modelling that spans legacy infrastructure, container boundaries, and inter‑service authentication mechanisms. For platform developers, the key takeaway is to apply defense‑in‑depth principles consistently across all layers – from HTTP proxies to cryptographic primitives. --- This article synthesizes the author’s original investigation, providing a concise yet comprehensive look at the attack surface, the discovered bugs, and the strategic measures needed to mitigate such complex exploit chains.