CVE-2023-46805 / CVE-2024-21887 Ivanti
TL;DR
Concerned Version
- Ivanti Connect Secure (ICS) et Ivanti Policy Secure, versions 9.x et 22.x.
- Includes also Ivanti Neurons gateways for unconnected Zero Trust Access (ZTA).
Information
Details
On January 10, 2024, Ivanti issued an alert regarding two vulnerabilities affecting Ivanti Connect Secure and Ivanti Policy Secure Gateways, impacting all supported versions. These flaws were actively exploited at the time of the announcement, leading the CISA to issue an alert and include these vulnerabilities in its Known Exploited Vulnerabilities (KEV) catalog.
CVE-2023-46805, rated at 8.2 on the CVSS scale, allows for authentication bypass in web components, granting access to restricted resources to a remote attacker.
CVE-2024-21887, with a CVSS score of 9.1, is a command injection vulnerability that allows an authenticated administrator to execute arbitrary commands.
The combined exploitation of these vulnerabilities enables a malicious actor to execute arbitrary commands on the targeted system without the need for prior authentication.
Detection
So far, specific details of vulnerabilities CVE-2023-46805 and CVE-2024-21887 have not been disclosed, meaning there are no specific detection rules for these vulnerabilities.
Nevertheless, some post-incident analyses have revealed elements that allow detection after compromise. Detected activities include the use of IP geolocation services for which there are various detection rules.
Additionally, the use of various variants of webshells, such as ReGeorg, has been observed. This specific webshell is known to have a well-established set of detection rules.
Moreover, requests to external sites via the curl tool have also been observed, and this behavior is detectable.
Finally, depending on business needs, a possible detection method is to alert on outgoing connections from the appliance to the internet, particularly via SSH.
____________
Update of January 18, 2023
Significant progress has been made in the analysis of Ivanti vulnerabilities. Various actors, including Rapid7, have contributed to this in-depth understanding by providing advanced analysis. In addition to these analyses, Rapid7 has made available a Metasploit exploitation module on GitHub. Following this, specific detection rules (SID 2050095 and 2050096) were developed and published by ET Pro on January 16th.
___________
Correction
In its statement, Ivanti indicates that no patch will be released before the week of January 22, 2024, for the initial version, and until the week of February 19, 2024, for the final version.
However, the publisher has implemented a temporary workaround to address the lack of patches until the publication date.
It is strongly advised to apply this temporary measure as soon as possible, followed by the patches once they are available.
Also, considering the active exploitation of these vulnerabilities, it is important to verify after correction that the equipment has not been compromised. Elements to detect compromise include:
Logs have been cleared and/or disabled;
Presence of requests to atypical paths;
Detection of equipment modification via the integrity verification tool. (Note: Equipment compromise, however, makes this verification more uncertain).
Author: Gatewatcher Purple Team
Resources
- Vulnerability advisory Ivanti: https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=fr
- KB Bypass: https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=fr
- CISA security update: https://www.cisa.gov/news-events/alerts/2024/01/10/ivanti-releases-security-update-connect-secure-and-policy-secure-gateways