Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Patches

Perfect 10 directory traversal vuln hits SailPoint's IAM solution

20-year-old info disclosure class bug still pervades security software

Connor Jones Tue 3 Dec 2024  //  23:45 UTC

Updated It's time to rev up those patch engines after SailPoint disclosed a perfect 10/10 severity vulnerability in its identity and access management (IAM) platform IdentityIQ.

The bug is not attached to a security advisory at the time of writing, but the vulnerability was reported on Monday to the National Vulnerability Database (NVD), which then assigned it the CVE-2024-10905 identifier.

Given the NVD rarely publishes a full analysis of vulnerabilities, and without an accompanying advisory to consult, the details of the flaw are few and far between.

However, we know the weakness enumeration is CWE-66. Otherwise known as a directory traversal flaw, these are the types of decades-old, easy-to-exploit bugs that the US's Cybersecurity and Infrastructure Security Agency (CISA) urged vendors to squash earlier this year.

In fact, security organization MITRE was calling them "unforgivable" much earlier, per a 2007 paper [PDF].

Directory traversals, sometimes referred to as path traversals, can be exploited when a piece of software fails to sanitize user input, allowing that user to access file directories they don't ordinarily have the necessary permissions to view.

This then leads to the disclosure of sensitive information and potentially the wider compromise of systems.

Such bugs have previously been described as "embarrassingly easy to exploit."

CISA said: "Directory traversal exploits succeed because technology manufacturers fail to treat user-supplied content as potentially malicious, hence failing to adequately protect their customers."

The agency's alert was one of many published earlier this year designed to support its campaign to drive the adoption of secure-by-design principles in software development. The idea is that if the most basic security issues are sorted out by vendors, the number of attacks that disrupt critical services will plummet.

Per the NVD's limited breakdown, the following SailPoint IdentityIQ versions are vulnerable:

Customers are advised to upgrade to versions 8.4p2, 8.3p5, and 8.2p8 respectively to patch the vulnerability.

Speaking of customers, SailPoint has some heavy hitters on its books. While the Thoma Bravo-owned biz doesn't disclose the exact number of customers under its wing, major organizations listed on its case studies page as using IdentityIQ include BNP Paribas, Toyota Europe, Philips, The Home Depot, General Motors, and an unnamed central bank of a European country dubbed a "major global economy."

The Register asked SailPoint why no security advisory was released and whether it's aware of any successful exploit attempts, but it did not immediately respond. ®

Updated to add at 1207 UTC, December 5

Rex Booth, CISO at SailPoint, shared the following statement with The Register:

As part of our continued commitment to transparency and security, on Monday December 2, SailPoint issued a security advisory for its IdentityIQ product which was assigned CVE-2024-10905. A fix has already been released, and we've provided customers with guidance on how to apply it.

Publishing CVEs is a voluntary practice across the industry that demonstrates dedication to security and transparency. At SailPoint, we invest in secure development practices and strive to catch vulnerabilities prior to software release, but, as with all software, new vulnerabilities can emerge as attacker tactics and detection capabilities evolve. For this reason, we continually test our products in all stages of the development lifecycle to minimise risk to our customers. Finding and remediating vulnerabilities is a symptom of a mature security programme, and reflects a company that is dedicated to safeguarding the cyber ecosystem.
Send us news
6 Comments

UK ICO not happy with Google's plans to allow device fingerprinting

Also, Ascension notifies 5.6M victims, Krispy Kreme bandits come forward, LockBit 4.0 released, and more

Apache issues patches for critical Struts 2 RCE bug

More details released after devs allowed weeks to apply fixes

Three more vulns spotted in Ivanti CSA, all critical, one 10/10

Patch up, everyone – that admin portal is mighty attractive to your friendly cyberattacker

Fully patched Cleo products under renewed 'zero-day-ish' mass attack

Thousands of servers targeted while customers wait for patches

OpenWrt orders router firmware updates after supply chain attack scare

A couple of bugs lead to a potentially bad time

Zabbix urges upgrades after critical SQL injection bug disclosure

US agencies blasted 'unforgivable' SQLi flaws earlier this year

Infosec experts divided on AI's potential to assist red teams

Yes, LLMs can do the heavy lifting. But good luck getting one to give evidence

Trump administration wants to go on cyber offensive against China

The US has never attacked Chinese critical infrastructure before, right?

Deloitte says cyberattack on Rhode Island benefits portal carries 'major security threat'

Personal and financial data probably stolen

Are your Prometheus servers and exporters secure? Probably not

Plus: Netscaler brute force barrage; BeyondTrust API key stolen; and more

Blue Yonder ransomware termites claim credit

Also: Mystery US firm compromised by Chinese hackers for months; Safe links that aren't; Polish spy boss arrested, and more

Lights out for 18 more DDoS booters in pre-Christmas Operation PowerOFF push

Holiday cheer comes in the form of three arrests and 27 shuttered domains