Ivanti’s no good, very bad 2024 continues

Share This Post

Unfortunately this is not a repeat, yet more vulnerabilities have popped up in the Ivanti VPN products. CVE-2024-21893 (CVSS 8.2) is an SSRF flaw that allows an attacker to access resources without needing authentication. This is being widely exploited so if you use this product, you should probably assume your instance has been compromised and should be threat hunting now. CVE-2024-22024 (CVSS 8.3) is an XML external entity (XXE) issue, which allows an attacker to influence how XML files are handled and is present in the SAML component of the VPN appliance.

First let’s look at CVE-2024-21893 exploit in more depth.

What is interesting about the PoC is that it combines CVE-2024-21893 with a previously patched vulnerability (CVE-2024-21887) to allow for unauthenticated remote code execution. Adding to that is that CVE-2024-21893 is actually an alias for a CVE in an open-source library. The open-source library was patched in June 2023, which means Ivanti was not updating their libraries used in their code, not good but unfortunately very common. This is confirmed by Security researcher Will Dormann who found 7 other open-source libraries used in the Ivanti VPN appliance that were out-of-date. Ivanti began releasing patches for this Jan 31/Feb 1, so make sure you are checking and update your devices as quickly as possible. Ivanti initially recommends a factory reset and then upgrading any affected devices. Attackers were able to bypass the initial mitigation actions and a second patch was made available. A factory reset is not recommended when applying the second patch if you did that and applied the initial patch.

CVE-2024-22024

Well, the plus is that there is no evidence of this being actively exploited, yet, so you have a chance to patch. Since we know Ivanti VPN devices are already being heavily targeted I would recommend patching as quickly as possible because we know it will just be a matter of time before a PoC exploit is released.

  • Update 2/12/2024 – Well that didn’t take long. Over the weekend WatchTowr says exploitation is possible with a basic, publicly available payload for out-of-bounds XXE. Patch as quickly as possible and threat hunt if you have affected versions.

As always if you are impacted by these vulnerabilities patch according to the vendor recommendations and threat hunt. If you think you may be affected and would like help investigating the issue, please reach out to csirt@frsecure.com

Links:

https://www.cisa.gov/news-events/alerts/2024/01/30/updated-new-software-updates-and-mitigations-defend-against-exploitation-ivanti-connect-secure-and

https://thehackernews.com/2024/02/recently-disclosed-ssrf-flaw-in-ivanti.html

https://forums.ivanti.com/s/article/CVE-2024-22024-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US



Reach out to our incident response team for help

More To Explore

Information Security News 9-30-2024

NIST Drops Password Complexity, Mandatory Reset Rules Article Link: https://www.darkreading.com/identity-access-management-security/nist-drops-password-complexity-mandatory-reset-rules Hacker Plants False Memories in ChatGPT to Steal User Data in Perpetuity Article Link: https://arstechnica.com/security/2024/09/false-memories-planted-in-chatgpt-give-hacker-persistent-exfiltration-channel/

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.