CVE-2024-28770
📋 TL;DR
This vulnerability allows attackers to steal session cookies or authorization tokens from IBM Security Directory Integrator users by intercepting unencrypted HTTP traffic. Attackers can trick users into clicking malicious HTTP links, causing their cookies to be transmitted insecurely. Affects IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0.
💻 Affected Systems
- IBM Security Directory Integrator
- IBM Security Verify Directory Integrator
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain authenticated access to directory integration systems, potentially compromising sensitive directory data and enabling lateral movement within the network.
Likely Case
Session hijacking leading to unauthorized access to directory integration functions and potential data exposure.
If Mitigated
Limited impact if HTTPS is enforced and users are trained to avoid suspicious links.
🎯 Exploit Status
Exploitation requires user interaction (clicking malicious link) but uses well-known cookie interception techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply interim fix or upgrade as per IBM advisory
Vendor Advisory: https://www.ibm.com/support/pages/node/7161444
Restart Required: Yes
Instructions:
1. Review IBM advisory 2. Apply recommended interim fix 3. Restart affected services 4. Verify secure attribute is set on cookies
🔧 Temporary Workarounds
Enforce HTTPS Only
allConfigure web server to redirect all HTTP traffic to HTTPS and set HSTS headers
# Apache: Redirect permanent / https://your-domain.com/
# Nginx: return 301 https://$server_name$request_uri;
Cookie Security Headers
allManually configure secure and HttpOnly flags on session cookies
# Application configuration: Set-Cookie: session=value; Secure; HttpOnly
🧯 If You Can't Patch
- Enforce HTTPS-only access to the application
- Implement network segmentation and monitor for cookie theft attempts
🔍 How to Verify
Check if Vulnerable:
Inspect application cookies using browser developer tools - check if session cookies lack 'Secure' attribute when accessed via HTTPCheck Version:
# Check IBM Directory Integrator version from admin console or installation directoryVerify Fix Applied:
Verify cookies now have 'Secure' attribute and application redirects HTTP to HTTPS📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts from same IP
- Session tokens being used from unusual locations
Network Indicators:
- HTTP traffic containing session cookies
- Unencrypted authentication tokens in network captures
SIEM Query:
source="web_logs" AND (uri="*http://*" AND cookie="*session*")