| ID | Technique | Tactic |
|---|---|---|
| T1190 | Exploit Public-Facing Application | Initial Access |
Detection: Ivanti Connect Secure SSRF in SAML Component
Description
The following analytic identifies POST requests targeting endpoints vulnerable to the SSRF issue (CVE-2024-21893) in Ivanti's products. It leverages the Web data model, focusing on endpoints such as /dana-ws/saml20.ws, /dana-ws/saml.ws, /dana-ws/samlecp.ws, and /dana-na/auth/saml-logout.cgi. The detection filters for POST requests that received an HTTP 200 OK response, indicating successful execution. This activity is significant as it may indicate an attempt to exploit SSRF vulnerabilities, potentially allowing attackers to access internal services or sensitive data. If confirmed malicious, this could lead to unauthorized access and data exfiltration.
Search
1
2| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/dana-ws/saml20.ws*","*/dana-ws/saml.ws*","*/dana-ws/samlecp.ws*","*/dana-na/auth/saml-logout.cgi/*") Web.http_method=POST Web.status=200 by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status, Web.http_method
3| `drop_dm_object_name("Web")`
4| `security_content_ctime(firstTime)`
5| `security_content_ctime(lastTime)`
6| `ivanti_connect_secure_ssrf_in_saml_component_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Suricata | N/A | 'suricata' |
'suricata' |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| ivanti_connect_secure_ssrf_in_saml_component_filter | search * |
ivanti_connect_secure_ssrf_in_saml_component_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Delivery
DE.CM
CIS 13
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Notable | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Risk Event | True |
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.
Implementation
This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.
Known False Positives
This analytic is limited to HTTP Status 200; adjust as necessary. False positives may occur if the HTTP Status is removed, as most failed attempts result in a 301. It's recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
Possible exploitation of CVE-2024-21893 against $dest$ from $src$.
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| dest | system | 81 | src |
References
-
https://attackerkb.com/topics/FGlK1TVnB2/cve-2024-21893/rapid7-analysis
-
https://www.assetnote.io/resources/research/ivantis-pulse-connect-secure-auth-bypass-round-two
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | suricata |
suricata |
| Integration | ✅ Passing | Dataset | suricata |
suricata |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 4