CVE-2024-1714
📋 TL;DR
This vulnerability in SailPoint IdentityIQ allows authenticated users to request access to entitlements with leading or trailing whitespace in their values, potentially bypassing intended access controls. It affects all supported versions of IdentityIQ Lifecycle Manager. Attackers could gain unauthorized access to sensitive resources or privileges.
💻 Affected Systems
- SailPoint IdentityIQ Lifecycle Manager
📦 What is this software?
Identityiq by Sailpoint
Identityiq by Sailpoint
Identityiq by Sailpoint
Identityiq by Sailpoint
Identityiq by Sailpoint
Identityiq by Sailpoint
Identityiq by Sailpoint
Identityiq by Sailpoint
Identityiq by Sailpoint
Identityiq by Sailpoint
Identityiq by Sailpoint
Identityiq by Sailpoint
Identityiq by Sailpoint
Identityiq by Sailpoint
⚠️ Risk & Real-World Impact
Worst Case
Privilege escalation leading to unauthorized access to critical systems, data exfiltration, or administrative control compromise.
Likely Case
Unauthorized access to specific entitlements or resources that should be restricted, potentially enabling lateral movement.
If Mitigated
Limited impact with proper access controls, monitoring, and least privilege principles in place.
🎯 Exploit Status
Exploitation requires authenticated user access and knowledge of entitlement values with whitespace.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check SailPoint security advisory for specific patched versions
Vendor Advisory: https://www.sailpoint.com/security-advisories/sailpoint-identityiq-access-request-for-entitlement-values-with-leading-trailing-whitespace-cve-2024-1714/
Restart Required: Yes
Instructions:
1. Review SailPoint security advisory for patched versions
2. Apply the latest IdentityIQ patch from SailPoint
3. Restart IdentityIQ services
4. Verify the fix by testing access requests with whitespace
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement custom input validation to strip whitespace from entitlement values in access requests
Implement custom validation rules in IdentityIQ workflows to trim whitespace from entitlement values
Access Request Monitoring
allIncrease monitoring and alerting for access requests containing whitespace in entitlement values
Configure SIEM alerts for access requests with whitespace patterns in entitlement fields
🧯 If You Can't Patch
- Implement strict access controls and least privilege principles to limit potential damage
- Enhance monitoring for unusual access request patterns and entitlement modifications
🔍 How to Verify
Check if Vulnerable:
Test by submitting an access request for an entitlement value with leading/trailing whitespace and checking if it's processed differently than the trimmed valueCheck Version:
Check IdentityIQ version through admin console or application.properties fileVerify Fix Applied:
After patching, repeat the vulnerable test case - access requests with whitespace should be rejected or normalized📡 Detection & Monitoring
Log Indicators:
- Access requests containing whitespace in entitlement value fields
- Unusual entitlement assignment patterns
- Multiple access requests for similar entitlements with variations
Network Indicators:
- Increased volume of access request API calls
- Patterns of requests with URL-encoded whitespace characters
SIEM Query:
source="identityiq" AND (message="access request" AND entitlement_value MATCHES "\\s+.*|.*\\s+")🔗 References
- https://www.sailpoint.com/security-advisories/sailpoint-identityiq-access-request-for-entitlement-values-with-leading-trailing-whitespace-cve-2024-1714/
- https://www.sailpoint.com/security-advisories/sailpoint-identityiq-access-request-for-entitlement-values-with-leading-trailing-whitespace-cve-2024-1714/
