Try in Splunk Security Cloud

Description

This analytic is designed to detect unauthenticated access to the System Manager Portal in Ivanti Sentry, formerly known as MobileIron Sentry. The vulnerability, designated as CVE-2023-38035, affects all supported versions 9.18, 9.17, and 9.16, as well as older versions. The analytic works by monitoring for changes in the configuration of Sentry and the underlying operating system. Such changes could indicate an attacker attempting to execute OS commands as root. This behavior is of significant concern for a Security Operations Center (SOC) as it presents a substantial security risk, particularly if port 8443, the default port for the System Manager Portal, is exposed to the internet. If the analytic returns a true positive, it suggests that an attacker has gained unauthorized access to the Sentry system, potentially leading to a significant system compromise and data breach. It is important to note that while the issue has a high CVSS score, the risk of exploitation is low for customers who do not expose port 8443 to the internet. The search specifically looks for HTTP requests to certain endpoints ("/mics/services/configservice/", "/mics/services/","/mics/services/MICSLogService*") and HTTP status code of 200. Unusual or unexpected patterns in these parameters could indicate an attack.

  • Type: TTP
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Web
  • Last Updated: 2023-08-24
  • Author: Michael Haag, Splunk
  • ID: b8e0d1cf-e6a8-4d46-a5ae-aebe18ead8f8

Annotations

ATT&CK

ATT&CK

ID Technique Tactic
T1190 Exploit Public-Facing Application Initial Access
Kill Chain Phase
  • Delivery
NIST
  • DE.CM
CIS20
  • CIS 13
CVE
ID Summary CVSS
CVE-2023-38035 A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration. None 


1
2
3
4
5
6



| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("/mics/services/configservice/*", "/mics/services/*","/mics/services/MICSLogService*") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype 
| `drop_dm_object_name("Web")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `ivanti_sentry_authentication_bypass_filter`

Macros

The SPL above uses the following Macros:

:information_source: ivanti_sentry_authentication_bypass_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

  • Web.http_user_agent
  • Web.status
  • Web.http_method
  • Web.url
  • Web.url_length
  • Web.src
  • Web.dest
  • sourcetype

How To Implement

To implement this analytic, a network product similar to Suricata or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work with your products.

Known False Positives

It is important to note that false positives may occur if the search criteria are expanded beyond the HTTP status code 200. In other words, if the search includes other HTTP status codes, the likelihood of encountering false positives increases. This is due to the fact that HTTP status codes other than 200 may not necessarily indicate a successful exploitation attempt.

Associated Analytic Story

RBA

Risk Score Impact Confidence Message
45.0 90 50 Possible exploitation of CVE-2023-38035 against $dest$.

:information_source: The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1