.svg)
.svg)
The Blue Report 2024
Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.
On January 19, 2024, The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive on Ivanti CVE-2023-46805 and CVE-2024-21887 vulnerabilities [1]. The agency reported that the vulnerabilities pose unacceptable risks to many federal agencies and should be mitigated immediately. The CVE-2023-46805 and CVE-2024-21887 have CVSS scores of 8.2 (High) and 9.1 (Critical), respectively, and can be exploited for arbitrary command execution in vulnerable products.
In this blog, we explained in detail how adversaries exploit Ivanti CVE-2023-46805 and CVE-2024-21887 vulnerabilities.
Simulate Vulnerability Exploitation Threats with 14-Day Free Trial of Picus Platform
Ivanti CVE-2023-46805 and CVE-2024-21887 Vulnerabilities Explained
Ivanti Connect Secure and Policy Secure are popular products used by organizations to secure remote connections and manage network access policies. On January 10, 2024, Ivanti issued a security advisory about two zero-day vulnerabilities affecting Ivanti Connect Secure and Policy Secure. The CVE-2023-46805 vulnerability is an authentication bypass vulnerability with a CVSS score of 8.2 (High), and the CVE-2024-21887 vulnerability is a command injection vulnerability with a CVSS score of 9.1 (Critical). Adversaries were observed using the vulnerabilities in conjunction for remote code execution on the vulnerable Ivanti products.
Due to its widespread use in Federal Civilian Executive Branch (FCEB) agencies, CISA issued an emergency directive that required agencies to implement suggested mitigations immediately. A quick Shodan search shows that over 17,000 Connect Secure and Policy Secure gateways are exposed online. Considering these are high-impact zero-day vulnerabilities affecting all supported versions, organizations are advised to apply mitigations without delay.
|
Affected Products |
Affected Versions |
|
Ivanti Connect Secure |
versions 9.x versions 22.x |
|
Ivanti Policy Secure |
versions 9.x versions 22. |
How Ivanti CVE-2023-46805 Exploit Works?
Ivanti CVE-2023-46805 vulnerability is an authentication bypass vulnerability found in the web component of Ivanti Connect Secure and Policy Secure products.
The vulnerability is caused by a path traversal vulnerability found in the "/api/v1/totp/user-backup-code" endpoint. Additionally, this endpoint does not require any authentication, allowing adversaries to access public-facing endpoints.
Adversaries combine the lack of authentication and path traversal vulnerability to access resources located in the endpoint [2].
|
//Example GET Request to test for CVE-2023-46805 GET /api/v1/totp/user-backup-code/../../system/system-information //Response from the vulnerable product … "system-information" : { "Cluster-node" : {}, "Hardware-model" : "PSA-3000", "host-name" : <redacted> "machine-id" : <redacted> "os-name" : "ive-sa", "os-version" : "9.1R18.1", "serial-number": <redacted> } … |
How Ivanti CVE-2024-21887 Exploit Works?
Ivanti CVE-2024-21887 vulnerability is a command injection vulnerability found in "/api/v1/license/key-status/<path:node_name>" API endpoint. Adversaries were able to access this endpoint using the CVE-20203-46805 vulnerability and append their payload to be executed by the vulnerable Ivanti product. The example below shows how adversaries use both vulnerabilities in conjunction to create a reverse shell [3].
|
GET /api/v1/totp/user-backup-code/../../license/keys-status/<url_encoded_python_reverse_shell> HTTP/1.1 Host: <IP_Vulnerable_Ivanti_Product> |
How Picus Helps Simulate Ivanti CVE-2023-46805 and CVE-2024-21887 Attacks?
We also strongly suggest simulating the Ivanti CVE-2023-46805 and CVE-2024-21887 vulnerabilities to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Complete Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as Citrix Bleed, Follina, and Looney Tunables, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for Ivanti CVE-2023-46805 and CVE-2024-21887 vulnerability exploitation attacks:
|
Threat ID |
Threat Name |
Attack Module |
|
20849 |
Ivanti Connect Secure Web Attack Campaign |
Web Application |
|
70762 |
Ivanti Policy Secure Web Attack Campaign |
Web Application |
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Ivanti CVE-2023-46805 and CVE-2024-21887 vulnerability exploitation attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Ivanti CVE-2023-46805 and CVE-2024-21887 vulnerabilities:
|
Security Control |
Signature ID |
Signature Name |
|
Check Point NGFW |
asm_dynamic_prop_CMD_INJECTION |
Command Injection Over HTTP |
|
Cisco FirePower |
1.62896.1 |
SERVER-WEBAPP Ivanti Secure Connect command injection attempt |
|
Cisco FirePower |
1.62894.1 |
SERVER-WEBAPP Ivanti Secure Connect authentication bypass attempt |
|
F5 BIG-IP |
200101550 |
Directory Traversal attempt (Content) |
|
F5 BIG-IP |
200007029 |
Directory Traversal attempt "../" (URI) |
|
F5 BIG-IP |
200003214 |
"curl" execution attempt (URI) |
|
Forcepoint NGFW |
HTTP_CSU-Ivanti-Connect-Secure-Authentication-Bypass-CVE-2023-46805 |
|
|
Fortigate IPS |
54588 |
Ivanti.Connect.Secure.Policy.Secure.Authentication.Bypass |
|
Fortiweb |
50180008 |
Generic Attacks |
|
Imperva SecureSphere |
Directory Traversal - 16 |
|
|
ModSecurity |
930110 |
Path Traversal Attack (/../) |
|
Palo Alto |
30844 |
HTTP Directory Traversal Request Attempt |
|
Snort |
1.2050131.1 |
ET WEB_SPECIFIC_APPS Possible Ivanti Pulse Secure Authentication Bypass and Command Injection Attempt (CVE-2023-46805, CVE-2024-21887) |
|
Snort |
1.62896.1 |
SERVER-WEBAPP Ivanti Secure Connect command injection attempt |
|
Snort |
1.62894.1 |
SERVER-WEBAPP Ivanti Secure Connect authentication bypass attempt |
|
Trellix |
0x40200c00 |
HTTP: CGI Escape Character Directory Traversal Vulnerability |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Complete Security Validation Platform.
References
[1] "ED 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/directives/ed-24-01-mitigate-ivanti-connect-secure-and-ivanti-policy-secure-vulnerabilities. [Accessed: Jan. 20, 2024]
[2] "GitHub - duy-31/CVE-2023-46805_CVE-2024-21887," GitHub. Available: https://github.com/duy-31/CVE-2023-46805_CVE-2024-21887. [Accessed: Jan. 20, 2024]
[3] "High Signal Detection and Exploitation of Ivanti's Pulse Connect Secure Auth Bypass & RCE." Available: https://www.assetnote.io/resources/research/high-signal-detection-and-exploitation-of-ivantis-pulse-connect-secure-auth-bypass-rce. [Accessed: Jan. 20, 2024]
