CVE-2024-10905: Critical Security Vulnerability Found in IdentityIQ Versions

A critical security vulnerability, identified as CVE-2024-10905, has been discovered in the popular Identity and Access Management (IAM) product, IdentityIQ. The affected versions include IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions. This vulnerability allows unauthorized users to access static content in the IdentityIQ application directory that should be protected. In this post, we'll examine the details of the vulnerability, how it can be exploited, and how to mitigate it.

Exploit Details

IdentityIQ is a comprehensive IAM solution that helps organizations manage access to applications and data by facilitating workflows, automating processes, and providing governance. The discovered vulnerability allows an attacker to bypass authentication and access static application resources that should be protected. This can potentially lead to sensitive information disclosure, unauthorized access, and other security risks.

Here's how the vulnerability can be exploited

An attacker sends an HTTP GET request to the static application resource's URL without proper authentication. The vulnerable version of IdentityIQ will serve the requested resource without validating the user's access rights.

The following is an example of an HTTP request exploiting the vulnerability

GET /IdentityIQ/static/secure/resource_path HTTP/1.1
Host: vulnerable-app.example.com
User-Agent: Mozilla/5. (Windows NT 10.; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69..3497.81 Safari/537.36

Original References

This vulnerability has been documented and reported by various security researchers and organizations. For more information on CVE-2024-10905, you can refer to the following original references:

1. US-CERT Vulnerability Summary for CVE-2024-10905
2. MITRE CVE Entry for CVE-2024-10905
3. NVD - CVE-2024-10905

For IdentityIQ 8.2, apply patch 8.2p8 or later.

2. Configure your IdentityIQ installation to properly enforce access controls for static content, using either your application server's built-in security features or third-party security solutions. Refer to [IdentityIQ's official documentation](https-link-to-documentation) for guidance on securing your installation.

Conclusion

CVE-2024-10905 is a critical security vulnerability affecting multiple versions of IdentityIQ. Organizations using IdentityIQ should take immediate action to patch their systems and ensure proper access controls are in place to prevent unauthorized access to static content. Regularly monitoring logs for signs of suspicious activity can help organizations detect attempts to exploit this vulnerability and maintain the security of their IAM infrastructure.

Timeline

Published on: 12/02/2024 15:15:10 UTC