Remote Code Execution on Ivanti Products Found in the Wild

• February 19, 2024
• Javier Young

Authored by Eli Koopman

In early January, Ivanti acknowledged two critical zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) in their Connect Secure and Policy Secure Gateways. These vulnerabilities open the door for remote unauthenticated code execution across all supported versions. Volexity’s investigation, which we’ve linked below, reveals active exploitation in the wild.

Understanding Ivanti Connect Secure

Ivanti Connect Secure is an SSL VPN solution, used for enabling secure remote connections to centralized business resources. It’s a tool for remote workers to access critical resources, such as file shares, from anywhere.

Understanding Ivanti Policy Secure

Ivanti Policy Secure is a network access control solution used to limit access to resources through access control lists (ACLs) and virtual LANs (VLANs).

How Ivanti Connect Secure is Being Exploited

Here’s a high-level overview of the exploitation process:

• CVE-2023-46805: This vulnerability allows unauthenticated attackers to bypass authentication and access sensitive information on the gateway via a directory traversal attack.
• CVE-2024-21887: This allows authenticated administrators to execute remote commands using a URL with an encoded payload, which could be manipulated to create new user accounts or access current user data.

By combining these vulnerabilities, attackers can execute code on the host without authentication, creating a significant security threat and potentially gaining a foothold in the network.

What Can You Do

Ivanti has released patches for these vulnerabilities, alongside a tool to check for vulnerabilities in your environment. It’s imperative for users of Ivanti products to apply these updates immediately.

Additionally active monitoring and consistent patching are key. Establish and follow a thorough patching process to keep external resources secure. Post-patching, vigilantly monitor user and machine activities for any anomalies. For instance, in a scenario like this exploit, alerts for new account creation or unusual IP address access is crucial in early breach detection.

How CLA Can Help

CLA’s cybersecurity team has years of experience performing risk assessments, application reviews, responding to cyber incidents and helping mitigate them. Please contact us to help in assessing and mitigating your risk for a cyber-attack.

Resources

• https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

• https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

• https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/

• https://owasp.org/www-community/attacks/Path_Traversal

Tags: ivanti, zero-day, Incident Response, Information Security, IT Controls, Network Security | Comments Off on Remote Code Execution on Ivanti Products Found in the Wild