On September 24, 2024, Rackspace, a managed cloud computing company providing cloud hosting, dedicated servers, and multi-cloud solutions, reported an issue with their Rackspace Monitoring product in the ScienceLogic EM7 (ScienceLogic SL1) Portal. Rackspace utilizes the ScienceLogic application as a third-party tool for monitoring certain internal services.
Days later, subsequent communications to customers revealed that a threat actor had exploited an undocumented zero-day vulnerability in a non-Rackspace utility bundled with the ScienceLogic application. The threat actor has not yet been linked to any known groups at this time. Rackspace promptly informed ScienceLogic about the vulnerability and collaborated with them to develop a patch for remediation. ScienceLogic has since made the patch available to all its customers.
Rackspace has indicated that the breach was limited to performance monitoring data of low-security sensitivity. This data included customer account names and numbers, customer usernames, Rackspace internally generated device IDs, names and device information, device IP addresses, and AES256 encrypted Rackspace internal device agent credentials. The company also confirmed that all affected customers have been notified, and no action is required on their part.
Vulnerability
During Rackspace and ScienceLogic’s collaboration to develop a remediation, it was discovered that the undocumented zero-day vulnerability was a remote code execution flaw in a third-party utility not developed by ScienceLogic, but included with the SL1 package. ScienceLogic has also chosen not to disclose the name of the third-party utility to avoid giving potential threat actors any insights, noting that the utility may be used in other products as well. Currently, this vulnerability does not have a CVE assigned. Additionally, Arctic Wolf has not identified any other impacted products or a publicly accessible proof of concept exploit.
Risk of Exploitation
Arctic Wolf will continue monitoring intelligence sources for any additional vendors or products affected by this vulnerability and its details once a CVE is assigned. A remote code execution vulnerability affecting a third-party utility used by various other products presents an appealing target for threat actors, as it offers a broad attack surface for exploitation, similar to the infamous Log4j, a third-party library, which was exploited in 2021 to allow attackers to execute arbitrary code across millions of systems.
Recommendations
Recommendation #1: Update ScienceLogic SL1
ScienceLogic has stated that the issue has been resolved and updates have been provided to all affected customers. If you use ScienceLogic SL1 in your environment, Arctic Wolf strongly recommends updating ScienceLogic SL1 to mitigate this zero-day vulnerability. The System Updates page allows you to update the software on your SL1 appliances (System > Tools > Updates). More information on updating SL1 can be found here: https://docs.sciencelogic.com/latest/Content/Web_Admin_and_Accounts/System_Administration/sys_admin_system_upgrade.htm
Recommendation #2: Follow Updates
Given the potential for the vulnerability to affect other products and applications, Arctic Wolf recommends monitoring for updates in case any of your utilized products are disclosed as impacted in the future. We will continue to monitor for updates surrounding impacted products as well.
References
Stay up to date with the latest security incidents and trends from Arctic Wolf Labs.
Explore the latest global threats with the 2024 Arctic Wolf Labs Threats Report.
