CISA Adds ScienceLogic SL1 to Exploited Vulnerabilities Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a key ScienceLogic SL1 feature to its Known Exploited Vulnerabilities (KEV) catalog. This move comes after reports of a zero-day attack discovered on Monday, 21st October 2024 which has raised serious concerns across the cybersecurity industry.

According to Hacker News, on 28th September 2024, Rackspace, a well-known cloud computing provider, experienced an outage that exposed a flaw in its ScienceLogic(SL1) monitoring system dashboard. The vulnerability labeled CVE-2024-9537 with a critical CVSS score of 9.8, enabled remote code execution, potentially giving attackers unauthorized access to sensitive data.

ScienceLogic and CISA Respond to Zero-Day Exploit

CISA and ScienceLogic acknowledged the zero-day vulnerability but have not revealed the identity of the third-party component responsible. The bug had been exploited and if it is not resolved then it could have led to further attacks. CISA issued a statement saying, “ScienceLogic SL1 (formerly EM7) is affected by an unspecified vulnerability involving an unspecified third-party component.”

Remediation for the vulnerability has already been deployed in several versions, including 12.1.3, 12.2.3, and 12.3, along with updates to older versions like 10.1.x and 11.3.x. ScienceLogic also reassured its customers that full support is available as they work on securing affected systems.

A spokesperson for ScienceLogic, speaking to The Stack, said, “Last month, we identified a zero-day remote code execution vulnerability within the SL1 package. As part of the standard response protocol, CISA published CVE-2024-9537.” They further confirmed, “We have been in contact with our customers to provide remediation.”

Rackspace Outage Linked to Vulnerability

On September 24, 2024, Rackspace first reported an issue related to its ScienceLogic EM7 (now SL1) platform. After an investigation, the company confirmed to Bleeping Computer that the zero-day attack allowed unauthorized access to its internal performance monitoring systems, and affected customers were notified.

Arctic Wolf threat intelligence expert Andres Ramos stated that the decision of not to reveal the third-party component’s name was to “avoid providing attackers with further insights, as the utility could be used in other products.”

Fortinet Speculations Continue

Despite efforts to patch the vulnerability, there is ongoing speculation regarding Fortinet’s potential involvement. Security researcher Kevin said on Mastodon, “ FortiGate have released one of the six new versions of FortiManager which fix the actively exploited zero day in the product… but they’ve not issued a CVE or documented the issue existing in the release notes. Next week maybe?” He also added, “Fortigate currently having the world’s least secret zero-day used by China play out, including in FortiManager Cloud… but everybody is confused.”

As the situation develops, ScienceLogic and CISA continue to focus on providing timely updates and safeguarding systems from potential future exploits.