-
Notifications
You must be signed in to change notification settings - Fork 357
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #2823 from splunk/ivantisentry
Ivanti Sentry
- Loading branch information
Showing
2 changed files
with
87 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
name: Ivanti Sentry Authentication Bypass | ||
id: b8e0d1cf-e6a8-4d46-a5ae-aebe18ead8f8 | ||
version: 1 | ||
date: '2023-08-24' | ||
author: Michael Haag, Splunk | ||
status: production | ||
type: TTP | ||
data_source: [] | ||
description: This analytic is designed to detect unauthenticated access to the System Manager Portal in Ivanti Sentry, formerly known as MobileIron Sentry. The vulnerability, designated as CVE-2023-38035, affects all supported versions 9.18, 9.17, and 9.16, as well as older versions. The analytic works by monitoring for changes in the configuration of Sentry and the underlying operating system. Such changes could indicate an attacker attempting to execute OS commands as root. This behavior is of significant concern for a Security Operations Center (SOC) as it presents a substantial security risk, particularly if port 8443, the default port for the System Manager Portal, is exposed to the internet. If the analytic returns a true positive, it suggests that an attacker has gained unauthorized access to the Sentry system, potentially leading to a significant system compromise and data breach. It is important to note that while the issue has a high CVSS score, the risk of exploitation is low for customers who do not expose port 8443 to the internet. The search specifically looks for HTTP requests to certain endpoints ("/mics/services/configservice/*", "/mics/services/*","/mics/services/MICSLogService*") and HTTP status code of 200. Unusual or unexpected patterns in these parameters could indicate an attack. | ||
search: '| tstats count min(_time) as firstTime max(_time) | ||
as lastTime from datamodel=Web where Web.url IN ("/mics/services/configservice/*", "/mics/services/*","/mics/services/MICSLogService*") Web.status=200 | ||
by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | ||
| `drop_dm_object_name("Web")` | ||
| `security_content_ctime(firstTime)` | ||
| `security_content_ctime(lastTime)` | `ivanti_sentry_authentication_bypass_filter`' | ||
how_to_implement: To implement this analytic, a network product similar to Suricata or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work with your products. | ||
known_false_positives: It is important to note that false positives may occur if the search criteria are expanded beyond the HTTP status code 200. In other words, if the search includes other HTTP status codes, the likelihood of encountering false positives increases. This is due to the fact that HTTP status codes other than 200 may not necessarily indicate a successful exploitation attempt. | ||
references: | ||
- https://github.com/horizon3ai/CVE-2023-38035/blob/main/CVE-2023-38035.py | ||
- https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/ | ||
- https://forums.ivanti.com/s/article/KB-API-Authentication-Bypass-on-Sentry-Administrator-Interface-CVE-2023-38035?language=en_US | ||
tags: | ||
analytic_story: | ||
- Ivanti Sentry Authentication Bypass CVE-2023-38035 | ||
cve: | ||
- CVE-2023-38035 | ||
asset_type: Network | ||
atomic_guid: [] | ||
confidence: 50 | ||
impact: 90 | ||
message: Possible exploitation of CVE-2023-38035 against $dest$. | ||
mitre_attack_id: | ||
- T1190 | ||
observable: | ||
- name: dest | ||
type: Hostname | ||
role: | ||
- Victim | ||
- name: src | ||
type: IP Address | ||
role: | ||
- Attacker | ||
product: | ||
- Splunk Enterprise | ||
- Splunk Enterprise Security | ||
- Splunk Cloud | ||
risk_score: 45 | ||
required_fields: | ||
- Web.http_user_agent | ||
- Web.status | ||
- Web.http_method | ||
- Web.url | ||
- Web.url_length | ||
- Web.src | ||
- Web.dest | ||
- sourcetype | ||
security_domain: network | ||
tests: | ||
- name: True Positive Test | ||
attack_data: | ||
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/ivanti_sentry_CVE_2023_38035.log | ||
source: suricata | ||
sourcetype: suricata |
24 changes: 24 additions & 0 deletions
24
stories/ivanti_sentry_authentication_bypass_cve_2023_38035.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
name: Ivanti Sentry Authentication Bypass CVE-2023-38035 | ||
id: da229be2-4637-47a5-b551-1d4b64f411c6 | ||
version: 1 | ||
date: '2023-08-24' | ||
author: Michael Haag, Splunk | ||
description: A critical vulnerability, designated as CVE-2023-38035, has been identified in Ivanti Sentry (formerly MobileIron Sentry). It affects all supported versions, including 9.18, 9.17, and 9.16, as well as older versions. The vulnerability allows an unauthenticated attacker to access the System Manager Portal (typically hosted on port 8443) and make configuration changes, potentially executing OS commands as root. However, the risk is low for users who haven't exposed port 8443 online. This flaw is distinct from other Ivanti products. It's imperative for organizations to check for unrecognized HTTP requests to /services/* as a potential indicator of compromise. | ||
narrative: CVE-2023-38035 presents a significant security risk in the Ivanti Sentry administration interface. The vulnerability was identified shortly after another notable vulnerability in Ivanti EPMM (CVE-2023-35078) was discovered being exploited in the wild. The current vulnerability allows a malicious actor, without requiring authentication, to access the System Manager Portal, typically hosted on port 8443. Upon successful exploitation, the attacker can make configuration alterations to both the Sentry system and its underlying OS. The potential damage is significant, enabling the attacker to execute commands on the system with root privileges. \ | ||
|
||
While this vulnerability scored high on the CVSS scale, its risk is relatively mitigated for clients who have not exposed port 8443 to the internet. The primary exploitation vector is the System Manager Portal, an administrative interface for Sentry. \ | ||
|
||
As of now, definitive indicators of compromise (IoCs) are elusive. However, any unexpected HTTP requests to the endpoint /services/* could be a red flag. It's worth noting that the exploited endpoint might not be the sole vulnerable point, suggesting other potential gateways for attackers. Ivanti Sentry's system doesn't provide a typical Unix shell, but in the event of a known system breach, the /var/log/tomcat2/ directory contains access logs that may reveal accessed endpoints. Additionally, web interface logs may provide insights into suspicious activities and should be monitored closely. | ||
references: | ||
- https://github.com/horizon3ai/CVE-2023-38035/blob/main/CVE-2023-38035.py | ||
- https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/ | ||
- https://forums.ivanti.com/s/article/KB-API-Authentication-Bypass-on-Sentry-Administrator-Interface-CVE-2023-38035?language=en_US | ||
tags: | ||
analytic_story: Ivanti Sentry Authentication Bypass CVE-2023-38035 | ||
category: | ||
- Adversary Tactics | ||
product: | ||
- Splunk Enterprise | ||
- Splunk Enterprise Security | ||
- Splunk Cloud | ||
usecase: Advanced Threat Detection |