Research Lab

Versa Security Bulletin: Multiple Vulnerabilities Affecting Ivanti Connect Secure and Ivanti Policy Secure

CVEs: CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, CVE-2024-21893

Summary

Recently, Ivanti Connect Secure appliances have faced active exploitation through a series of linked vulnerabilities of high or critical severity. On January 10, 2024, Ivanti disclosed two new vulnerabilities in its Ivanti Connect Secure and Ivanti Policy Secure gateways: CVE-2023-46805 (high severity authentication bypass vulnerability) and CVE-2024-21887 (critical severity command injection vulnerability). These vulnerabilities impact all supported versions of the gateways. Specifically, an exploit chain combining an authentication bypass vulnerability (CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887) has been used to enable attackers to execute code remotely without authentication. Detailed insights into these vulnerabilities were provided in a Rapid7 analysis on January 11, 2024. In response, Ivanti introduced a mitigation file that effectively blocked this exploit chain.

Subsequently, on January 31, 2024, two additional high severity vulnerabilities were disclosed by Ivanti, at which time CISA issued an emergency directive to all U.S. federal agencies to mitigate (disconnect) Ivanti Connect Secure and Ivanti Policy Secure products from their networks no later than 11:59 p.m. on February 2, 2024.

Details of the Vulnerabilities

Analysis

• CVE-2023-46805 (CVSS: 8.2): An authentication bypass vulnerability in the web component of Ivanti Connect Secure (ICS) 9.x, 22.x and Ivanti Policy Secure, that allows a remote attacker to bypass control checks and access restricted resources. It affects all supported versions of Ivanti Connect Secure and Ivanti Policy Secure 9.x and 22.x.
• CVE-2024-21887 (CVSS: 9.1): A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x), that can be abused to execute arbitrary commands by an authenticated user. It allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. This vulnerability also affects all supported versions of Ivanti Connect Secure and Ivanti Policy Secure 9.x and 22.x.
• CVE-2024-21888 (CVSS: 8.8): A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator.
• CVE-2024-21893 (CVSS: 9.8): A Server-Side Request Forgery (SSRF) vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA, that allows attackers to bypass initial mitigation measures for other vulnerabilities in the system and access certain restricted resources without authentication.

Chaining

CVE-2023-46805 (Authentication Bypass), CVE-2024-21887 (Command Injection), and CVE-2024-21893 (Server-Side Request Forgery) for Ivanti Connect Secure and Ivanti Policy Secure Gateways.

The chaining of these vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure Gateways can lead to significant security issues. When these vulnerabilities are exploited together, attackers can bypass authentication checks, execute OS commands with root privileges, and perform Server-Side Request Forgery (SSRF) attacks on the affected systems. This exploit chain allows unauthorized individuals to gain unauthorized access and potentially compromise the security and integrity of the Ivanti software.

Ivanti has acknowledged the active exploitation of these vulnerabilities and is working towards releasing official patches. However, users should be aware that the proof of concept (POC) for these initial vulnerabilities is now publicly available, making it easier for attackers to exploit them.

According to the Ivanti advisory, these vulnerabilities affect all supported versions of the products, versions 9.x and 22.x. It is unknown if unsupported versions 8.x and older are also affected. It is crucial for users to apply the recommended mitigation steps provided by Ivanti and update their software to the latest patched versions to protect against these vulnerabilities and prevent any potential exploitation.

Investigative Approach

CVE-2023-46805 (Authentication Bypass): This vulnerability allows attackers to bypass authentication checks and gain unauthorized access to the system. To understand how the authentication bypass works, researchers might investigate endpoints like /api/private/v1/controller-changeset. This endpoint could potentially grant access to sensitive system configurations without proper authentication checks.

CVE-2024-21887 (Command Injection): This vulnerability enables attackers who have already infiltrated the system to execute arbitrary commands, effectively gaining control of the system. An endpoint that plays a key role in this vulnerability is /api/v1/totp/user-backup-code in the custom web server. This particular endpoint may be susceptible to command injection, allowing unauthorized command execution. To test for command injection vulnerabilities, researchers could examine endpoints like /api/v1/license/keys-status. Manipulating this endpoint could lead to the execution of unauthorized commands, revealing the system’s susceptibility to CVE-2024-21887.

To chain the SSRF vulnerability (CVE-2024-21893) with the command injection vulnerability (CVE-2024-21887), attackers can leverage the SSRF to perform an arbitrary HTTP GET request to the /api/v1/license/keys-status endpoint. This endpoint is susceptible to command injection. As authentication is performed by the front-end web server and not the back-end services, no authentication is needed to exploit the command injection vulnerability. By combining these vulnerabilities, attackers can bypass authentication checks, execute arbitrary commands, and perform SSRF attacks, potentially compromising the security and integrity of the Ivanti software.

The SSRF vulnerability (CVE-2024-21893) can be triggered by sending an unauthenticated HTTP request to the SAML server, specifically targeting the /dana-ws/saml20.ws endpoint. The vulnerability is related to the outdated version (3.0.2) of the xmltooling library used by the system, which is susceptible to SSRF vulnerabilities. Attackers exploit this vulnerability by providing an XML SOAP envelope containing a signature with a KeyInfo element. The RetrievalMethod element within KeyInfo has a URI attribute that allows attackers to specify an arbitrary URI. This causes the server to make an HTTP GET request to a remote resource, effectively executing the SSRF attack. The SSRF vulnerability allows attackers to control the GET query string during the SSRF, providing them with flexibility in exploiting the vulnerability.

Please note that the provided explanation focuses on the endpoints mentioned in the analysis for the sake of clarity and understanding. The actual vulnerabilities may have broader implications and potential attack vectors that go beyond these specific examples.

Active Exploitation in the Wild

• Over the past 30 days (January 08, 2024 – February 06, 2024 (UTC)), IP addresses with the tag “IVANTI CONNECT SECURE (ICS) RCE ATTEMPT” connected to CVE-2023-46805 and CVE-2024-21887 have been observed attempting to perform a remote code execution attack against Ivanti Connect Secure (ICS) according to GreyNoise Intelligence. See list of observed IP addresses here.
• Over the past 30 days (January 08, 2024 – February 06, 2024 (UTC)), IP addresses with the tag “IVANTI CONNECT SECURE SSRF CVE-2024-21893 ATTEMPT” have been observed attempting to exploit CVE-2024-21893, an SSRF vulnerability in Ivanti Connect Secure (ICS) that can lead to remote code execution, according to GreyNoise Intelligence. See list of observed IP addresses here.
• Ivanti has reported that a targeted set of customers have been impacted by CVE-2024-21893. We will likely see more examples of these vulnerabilities becoming exploited as more information becomes available.

Current Guidance

Ivanti has begun releasing patches for all four CVEs. It is crucial for users to apply the recommended mitigation steps provided by Ivanti and update their software to the latest patched versions to protect against these vulnerabilities and prevent any potential exploitation. Updated Ivanti Connect Secure versions are 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1 and ZTA version 22.6R1.3.

While patches for these CVEs are still pending for some vulnerable products, the POC for the initial vulnerabilities is now publicly available. These vulnerabilities are being actively exploited, so we urge readers who might be affected to follow Ivanti’s recommended mitigation steps.

We continue to monitor this fast-evolving situation and will release further information as it becomes available.

Versa Networks Protections for Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities

The Security Research Team in Versa Networks plays a crucial role in protecting its customers from emerging cybersecurity threats. Their proactive approach in identifying, developing, and implementing detection rules is vital for maintaining strong security defenses.

Versa Networks has identified the issues and released SIDs (Security IDentifiers) to mitigate Ivanti vulnerabilities, in our latest offering of Security Package (SPACK) version 2127:

-1240110060

-1000018772, 1000018773

-1240110070, 1240110071

These signatures are part of the Versa recommended vulnerability profile and customers will automatically get protection. Versa recommends that customers running a custom vulnerability profile select and activate the signatures to get protection. Customers can visit our Support Center to obtain more information on SPACK 2127 and follow the forum.

Versa Networks customers benefit from enhanced protection provided through our products. Enterprise-wide protections from Ivanti vulnerabilities are provided by:

• Versa Zero Trust Network Access (ZTNA)

  – Delivers private connectivity for employees who are working remotely. With this solution, remote employees can now securely connect to applications in on-premises, private and public clouds based on the principle of Zero Trust access. Versa ZTNA extends to the local on-premises environments, and Zero Trust access is similarly enforced for users in the branch, campus or data center, limiting lateral movement inside the network.

• Versa Secure Internet Access (VSIA)

  with URL filtering and DNS security – Cloud-managed and cloud-delivered, VSIA secures enterprise sites, home offices, and traveling users accessing distributed applications without compromising security or user experience. URL filtering with IP reputation inspects all incoming and outgoing traffic for malicious exploits and known malicious domains, including those associated with the vulnerabilities, and will block associated IOCs.

• Versa Next Generation Firewall (NGFW)

  with IPS and Advanced Threat Prevention – Provides comprehensive security coverage and can help to block attacks arising from the vulnerabilities via security packs and sandboxing, together with other elements within the VSIA product offering.

References

[1]https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US 

[2]https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US 

[3]https://www.cisa.gov/news-events/directives/ed-24-01-mitigate-ivanti-connect-secure-and-ivanti-policy-secure-vulnerabilities 

[4] Supplemental Direction V1: ED 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities | CISA 

POC

https://attackerkb.com/topics/FGlK1TVnB2/cve-2024-21893/rapid7-analysis 

https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis 

https://github.com/Chocapikk/CVE-2024-21887/ 

https://github.com/Chocapikk/CVE-2024-21893-to-CVE-2024-21887/blob/main/CVE-2024-21893-CVE-2024-21887.yaml 

https://github.com/Chocapikk/CVE-2024-21893-to-CVE-2024-21887/blob/main/CVE-2024-21893.yaml