Written by the Kudelski Security Threat Detection & Research Team (updated on 2024.02.12 by Yann Lehmann)
Summary
Ivanti Connect Secure (ICS) and Ivanti Policy Secure gateways are affected by two vulnerabilities, CVE-2023-46805 (Authentication Bypass) and CVE-2024-21887 (Command Injection). The vulnerabilities impact all currently supported versions of these products; exploitation can allow remote attackers to access restricted resources, bypass authentication checks, and execute arbitrary commands on the system. Ivanti Neurons for ZTA gateways are also vulnerable if generated but left unconnected to a ZTA controller.
After their review, Ivanti also disclosed two additional vulnerabilities, CVE-2024-21888, a privilege escalation vulnerability, and CVE-2024-21893, a server-side request forgery.
And finally (hopefully) Ivanti disclosed yet another vulnerability, CVE-2024-22024, a XML external entity injection (XXE), with a CVSSv3 score of 8.3 discovered on the 8th of February.
Those vulnerabilities are seeing a surge of exploitation attempts by a specific APT state-sponsored threat actor, as well as well as other opportunistic threat actors. As such, it’s key to either update immediately or apply the provided workaround.
Recommendations (Updated 2024/02/12)
Please apply the latest patches according to availability as described in Ivanti’s advisory
In case the system cannot immediately be patched, the latest XML mitigations already provided by Ivanti already protect against the exploitation of CVE-2024-22024.
Affected Systems and/or Applications
- Ivanti Connect Secure (ICS), 9.x and 22.x
- Ivanti Policy Secure, 9.x and 22.x
- Ivanti Neurons for ZTA* , 22.5R1.5 and 22.6R1.3
For a detailed list of impacted versions, see the Patch Availability table in Ivanti’s advisory. Please note that Ivanti is slowly rolling out patches for all affected version, so stay up-to-date until your appliances are provided with a patch.
Technical Details / Attack Overview
- CVE-2023-46805 (CVSS 8.2): An authentication bypass vulnerability in the web component of ICS and Ivanti Policy Secure allows remote attackers to access restricted resources by bypassing control checks.
- CVE-2024-21887 (CVSS 9.1): A command injection vulnerability in web components of ICS and Ivanti Policy Secure allows authenticated administrators to send specially crafted requests and execute arbitrary commands on the appliance over the internet.
Use of these vulnerabilities in conjunction can allow an unauthenticated attacker to compromise the device over the internet. - CVE-2024-21888 (CVSS 8.8): This allows a user to elevate privileges to that of an administrator by leveraging a privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x)
- CVE-2024-21893 (CVSS 8.2): The SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA contains a server-side request forgery vulnerability. This allows an attacker to access restricted resources without authentication.
- CVE-2024-22024 (CVSS 8.3): The SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) contain a XML external entity injection (XXE) that could allow an unauthenticated attacker to access restricted resources.
While technical specifics related to the vulnerabilities themselves are currently unavailable to the public, Volexity has published a breakdown of a breach made possible by the exploitation of these then-zero-day bugs. Notably, while both bugs are severe on their own, their use in conjunction can allow an unauthenticated attacker to compromise a vulnerable device over the internet.
Temporary Workarounds and Mitigations
While patches for all affected versions are in development, Ivanti has released a temporary mitigation in the form of an XML file to be imported on affected appliances. The mitigation can be found in the download portal provided by Ivanti. Unfortunately, certain features will be impacted or degraded after applying the mitigation, such as the Admin REST APIs, End User Portal, Rewriter functionality, Citrix StoreFront with HTML5, and more. Refer to Ivanti’s advisory for more details.
Patches for supported versions will be released in a staggered schedule from the week of January 22nd until the week of February 19th. Application instructions will also be provided at the time of release.
Additionally, Ivanti recommends that all customers run the external Integrity Checker Tool (ICT) as a precautionary measure against threat actor activity. For information on how to run the external ICT, refer to this Ivanti Knowledge Base article.
What the Cyber Fusion Center (CFC) is doing
The CFC has an ongoing threat hunting campaign to look for indicator of compromises and in case of need our clients will be contacted through their support portal.
Vulnerability scan plugins exist and upon completion of a vulnerability scan, clients with the relevant service will receive cases if vulnerable version are found.
The CFC will continue to monitor the situation and update the article if necessary.
Sources
- Ivanti: KB CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways
- Ivanti: KB44755 – Pulse Connect Secure (PCS) Integrity Assurance
- Volexity: Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN
- Tenable: CVE-2023-46805, CVE-2024-21887: Zero-Day Vulnerabilities Exploited in Ivanti Connect Secure and Policy Secure Gateways
- https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day
- https://labs.watchtowr.com/are-we-now-part-of-ivanti/
Kudelski Security Research 