Unfortunately this is not a repeat, yet more vulnerabilities have popped up in the Ivanti VPN products. CVE-2024-21893 (CVSS 8.2) is an SSRF flaw that allows an attacker to access resources without needing authentication. This is being widely exploited so if you use this product, you should probably assume your instance has been compromised and should be threat hunting now. CVE-2024-22024 (CVSS 8.3) is an XML external entity (XXE) issue, which allows an attacker to influence how XML files are handled and is present in the SAML component of the VPN appliance.
First let’s look at CVE-2024-21893 exploit in more depth.
What is interesting about the PoC is that it combines CVE-2024-21893 with a previously patched vulnerability (CVE-2024-21887) to allow for unauthenticated remote code execution. Adding to that is that CVE-2024-21893 is actually an alias for a CVE in an open-source library. The open-source library was patched in June 2023, which means Ivanti was not updating their libraries used in their code, not good but unfortunately very common. This is confirmed by Security researcher Will Dormann who found 7 other open-source libraries used in the Ivanti VPN appliance that were out-of-date. Ivanti began releasing patches for this Jan 31/Feb 1, so make sure you are checking and update your devices as quickly as possible. Ivanti initially recommends a factory reset and then upgrading any affected devices. Attackers were able to bypass the initial mitigation actions and a second patch was made available. A factory reset is not recommended when applying the second patch if you did that and applied the initial patch.
CVE-2024-22024
Well, the plus is that there is no evidence of this being actively exploited, yet, so you have a chance to patch. Since we know Ivanti VPN devices are already being heavily targeted I would recommend patching as quickly as possible because we know it will just be a matter of time before a PoC exploit is released.
- Update 2/12/2024 – Well that didn’t take long. Over the weekend WatchTowr says exploitation is possible with a basic, publicly available payload for out-of-bounds XXE. Patch as quickly as possible and threat hunt if you have affected versions.
As always if you are impacted by these vulnerabilities patch according to the vendor recommendations and threat hunt. If you think you may be affected and would like help investigating the issue, please reach out to csirt@frsecure.com
Links:
https://thehackernews.com/2024/02/recently-disclosed-ssrf-flaw-in-ivanti.html