|
1 | 1 | ############# |
2 | 2 | # Automatically generated by generator.py in splunk/security_content |
3 | | -# On Date: 2024-01-10T18:42:59 UTC |
| 3 | +# On Date: 2024-01-17T18:35:46 UTC |
4 | 4 | # Author: Splunk Threat Research Team - Splunk |
5 | 5 | |
6 | 6 | ############# |
@@ -14802,6 +14802,16 @@ annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Command And Control"] |
14802 | 14802 | known_false_positives = False positives may be present if the organization works with international businesses. Filter as needed. |
14803 | 14803 | providing_technologies = null |
14804 | 14804 |
|
| 14805 | +[savedsearch://ESCU - Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint - Rule] |
| 14806 | +type = detection |
| 14807 | +asset_type = VPN Appliance |
| 14808 | +confidence = medium |
| 14809 | +explanation = This analytic monitors access to the /api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark endpoint, a key indicator for both CVE-2023-46805 and CVE-2024-21887 vulnerabilities. It detects potential vulnerabilities by looking for a 403 Forbidden response with an empty body on this endpoint. This detection method is used in both Nmap script and Project Discovery Nuclei, with the latter focusing on systems where XML mitigation for these vulnerabilities has not been applied. |
| 14810 | +how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. |
| 14811 | +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} |
| 14812 | +known_false_positives = This analytic is limited to HTTP Status 403; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment. |
| 14813 | +providing_technologies = null |
| 14814 | + |
14805 | 14815 | [savedsearch://ESCU - Adobe ColdFusion Access Control Bypass - Rule] |
14806 | 14816 | type = detection |
14807 | 14817 | asset_type = Network |
@@ -14997,6 +15007,26 @@ annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery", "Installat |
14997 | 15007 | known_false_positives = It is highly possible you will find false positives, however, the base score is set to 2 for _any_ jndi found in raw logs. tune and change as needed, include any filtering. |
14998 | 15008 | providing_technologies = null |
14999 | 15009 |
|
| 15010 | +[savedsearch://ESCU - Ivanti Connect Secure Command Injection Attempts - Rule] |
| 15011 | +type = detection |
| 15012 | +asset_type = VPN Appliance |
| 15013 | +confidence = medium |
| 15014 | +explanation = This analytic is designed to identify the exploit phase of the CVE-2023-46805 and CVE-2024-21887 vulnerabilities. During this phase, a POST request is made to the /api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection URI. This request exploits the command injection vulnerability to execute arbitrary commands. A successful request, indicated by a 200 OK response, suggests that the system is vulnerable. |
| 15015 | +how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. |
| 15016 | +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]} |
| 15017 | +known_false_positives = This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment. |
| 15018 | +providing_technologies = null |
| 15019 | + |
| 15020 | +[savedsearch://ESCU - Ivanti Connect Secure System Information Access via Auth Bypass - Rule] |
| 15021 | +type = detection |
| 15022 | +asset_type = VPN Appliance |
| 15023 | +confidence = medium |
| 15024 | +explanation = This analytic is designed to identify the "check phase" of the CVE-2023-46805 and CVE-2024-21887 vulnerabilities. During this phase, a GET request is made to the /api/v1/totp/user-backup-code/../../system/system-information URI. This request exploits the authentication bypass vulnerability to gain access to system information. A successful request, indicated by a 200 OK response, suggests that the system is vulnerable. |
| 15025 | +how_to_implement = This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. |
| 15026 | +annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.AE"]} |
| 15027 | +known_false_positives = This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the URI path is IP-restricted or externally blocked. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment. |
| 15028 | +providing_technologies = null |
| 15029 | + |
15000 | 15030 | [savedsearch://ESCU - Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 - Rule] |
15001 | 15031 | type = detection |
15002 | 15032 | asset_type = Web Server |
@@ -16530,6 +16560,17 @@ searches = ["ESCU - Gsuite Drive Share In External Email - Rule", "ESCU - Gsuite |
16530 | 16560 | description = Monitor for activities and techniques associated with insider threats and specifically focusing on malicious insiders operating with in a corporate environment. |
16531 | 16561 | narrative = Insider Threats are best defined by CISA: "Insider threat incidents are possible in any sector or organization. An insider threat is typically a current or former employee, third-party contractor, or business partner. In their present or former role, the person has or had access to an organization's network systems, data, or premises, and uses their access (sometimes unwittingly). To combat the insider threat, organizations can implement a proactive, prevention-focused mitigation program to detect and identify threats, assess risk, and manage that risk - before an incident occurs." An insider is any person who has or had authorized access to or knowledge of an organization's resources, including personnel, facilities, information, equipment, networks, and systems. These are the common insiders that create insider threats: Departing Employees, Security Evaders, Malicious Insiders, and Negligent Employees. This story aims at detecting the malicious insider. |
16532 | 16562 |
|
| 16563 | +[analytic_story://Ivanti Connect Secure VPN Vulnerabilities] |
| 16564 | +category = Adversary Tactics |
| 16565 | +last_updated = 2024-01-16 |
| 16566 | +version = 1 |
| 16567 | +references = ["https://github.com/RootUp/PersonalStuff/blob/master/http-vuln-cve2023-46805_2024_21887.nse", "https://github.com/projectdiscovery/nuclei-templates/blob/c6b351e71b0fb0e40e222e97038f1fe09ac58194/http/misconfiguration/ivanti/CVE-2023-46085-CVE-2024-21887-mitigation-not-applied.yaml", "https://github.com/rapid7/metasploit-framework/pull/18708/files", "https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis", "https://labs.watchtowr.com/welcome-to-2024-the-sslvpn-chaos-continues-ivanti-cve-2023-46805-cve-2024-21887/", "https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/", "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day", "https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US"] |
| 16568 | +maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}] |
| 16569 | +spec_version = 3 |
| 16570 | +searches = ["ESCU - Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint - Rule", "ESCU - Ivanti Connect Secure Command Injection Attempts - Rule", "ESCU - Ivanti Connect Secure System Information Access via Auth Bypass - Rule"] |
| 16571 | +description = The following analytic story addresses critical vulnerabilities CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure and Ivanti Policy Secure Gateways. CVE-2023-46805 is an authentication bypass vulnerability, while CVE-2024-21887 is a command injection flaw, both presenting significant risks in versions 9.x and 22.x. Combined, these vulnerabilities enable unauthenticated threat actors to execute arbitrary commands, compromising system integrity. Immediate mitigation is imperative, with patches scheduled for staggered release. Ivanti has provided interim mitigation steps, and it's crucial for customers to apply these measures to protect their systems against potential exploits. |
| 16572 | +narrative = Ivanti Connect Secure and Ivanti Policy Secure gateways face a severe security challenge with the discovery of CVE-2023-46805 and CVE-2024-21887. CVE-2023-46805 allows attackers to bypass authentication in critical web components of versions 9.x and 22.x. More alarmingly, when paired with CVE-2024-21887, a command injection vulnerability, it enables remote attackers to execute arbitrary commands without authentication. This combination poses a heightened threat, undermining the security of enterprise networks. Ivanti has mobilized resources to address these vulnerabilities, offering immediate mitigation advice and scheduling patch releases. Customers are urged to apply these mitigations without delay to safeguard their networks. |
| 16573 | + |
16533 | 16574 | [analytic_story://Ivanti EPMM Remote Unauthenticated Access] |
16534 | 16575 | category = Vulnerability |
16535 | 16576 | last_updated = 2023-08-08 |
|
0 commit comments