[CDP-development] TLP:GREEN (Zero-Day Alert Notification) CVE-2024-21887 & CVE-2023-46805 Ivanti Connect Secure and Policy Secure Command Injection & Authentication Bypass

CSS Security Operations Services * DAS css-soc-services at das.oregon.gov
Thu Jan 11 07:54:26 PST 2024 

Good morning,

The SOC Services team is reporting on the vulnerability: CVE-2024-21887 & CVE-2023-46805 Ivanti Connect Secure and Policy Secure Command Injection & Authentication Bypass.  Due to its high visibility and active exploitations, we are providing this in-depth information:

History: On January 10, 2024 Ivanti published mitigation guidance around two vulnerabilities for Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure and Policy Secure gateways).  CVE-2024-21887 is a command injection vulnerability and is currently assigned a CVSSv3 rating of 9.1 (Critical), while CVE-2023-46805 is an authentication bypass vulnerability and is currently assigned a CVSSv3 rating of 8.2 (High).  CVEs were established on January 10, 2024 and CISA added the vulnerabilities to their list of Known Exploited Vulnerabilities on the same date.

The following products are affected:

  *   Version 9.x
  *   Version 22.x

At the time of this correspondence Ivanti does not offer patched versions, but expects to release updates in a staggered schedule on the weeks of January 22, 2024 and February 19, 2024.

Further information is available from Ivanti as published in their security announcement:

  *   Ivanti Announcement on CVE-2024-21887 & CVE-2023-46805 - https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US


Intelligence: As of January 10, 2024, Ivanti and CISA are aware that both CVEs have been exploited in the wild in conjunction with each other.  It is very likely that each exploit will continue to be leveraged by threat actors over the coming months.

Workarounds:  Until a patch is provided, Ivanti recommends that critical mitigation measures be taken, including the following:

  *   Import the configuration file provide by Ivanti's download portal "mitigation.release.20240107.1.xml"
     *   This may impact or degrade features of Ivanti Connect Secure and Ivanti Policy Secure.
  *   Run the external integrity checker in addition to continuous monitoring.
Further information about mitigation steps can be found in Ivanti's KB article - https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

How it works:  At this time, little public information has been published by Ivanti.  However, attacks have been observed using both CVEs.  CVE-2023-46805 can allow an attacker to bypass authentication and gain access to restricted resources by bypassing control checks.  CVE-2024-21887 can allow an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.  However, if used in conjunction together, CVE-2024-21887 does not require authentication.

Post-Exploit: Upon successful exploitation of the vulnerabilities, attackers have been observed placing webshells on internal and external facing web servers, wiping and disabling ICS VPN logs, modifying ICS components to evade ICS integrity checks, backdooring a legitimate CGI file to allow command execution, and modifying a JS file used by the Web SSL VPN component as a means to exfiltrate user credentials.  After exfiltration, attackers were then observed to gain access to systems on the network.

The following IOCs have been provided:

  *   Network traffic from ICS VPN appliances:
     *   Outbound connections via curl to IP Geolocation service ip-api[.]com and to Cloudflare (1.1.1.1)
     *   Reverse SOCKS proxy and SSH tunnel connections through Cyberoam appliances with download.
     *   Reconnaissance of internal websites through proxied connections.
     *   Lateral movement using compromised credentials to connect to internal systems via RDP, SMB, and SSH.
     *   Transfer of multiple webshell variants to internet-accessible web servers and systems that were only internally accessible.
  *   Suspected domains and IP addresses:
     *   206.189.208.156
     *   gpoaccess[.]com
     *   webb-institute[.]com
     *   symantke[.]com
     *   75.145.243.85
     *   47.207.9.89
     *   98.160.48.170
     *   173.220.106.166
     *   73.128.178.221
     *   50.243.177.161
     *   50.213.208.89
     *   64.24.179.210
     *   75.145.224.109
     *   50.215.39.49
     *   71.127.149.194
     *   173.53.43.7
  *   Modifications to the following files on the appliance:
     *   /home/perl/DSLogConfig.pm
     *   /home/etc/sql/dsserver/sessionserver.pl
     *   /home/etc/sql/dsserver/sessionserver.sh
     *   /home/webserver/htdocs/dana-na/auth/compcheckresult.cgi
     *   /home/webserver/htdocs/dana-na/auth/lastauthserverused.js
  *   Creation and execution of the following files from the /tmp/ directory:
     *   /tmp/rev
     *   /tmp/s.py
     *   /tmp/s.jar
     *   /tmp/b
     *   /tmp/kill
  *   Deployment of malware and utilizing living off the land techniques.

As of January 11, 2024, the following vulnerability plugins have been released and are currently in Tenable Security Center:
Plugin
Title
Severity
187908<https://www.tenable.com/plugins/nessus/187908>
Ivanti Connect Secure 9.x / 22.x Multiple Vulnerabilities (CVE-2023-46805 and CVE-2024-21887)
Critical

Recommended Actions:


  *   Apply mitigations provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Review logs for unexpected or anomalous activity.
  *   Scan environments using provided Tenable Nessus plugins.
  *   Apply patches provided by vendor to vulnerable systems upon release and immediately after appropriate testing.
  *   Apply the Principle of Least Privilege to all systems and services.


[cid:image001.png at 01D9F1DD.F2FA0BC0]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable and secure state technology systems that serve Oregonians."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240111/501bd351/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240111/501bd351/attachment-0001.png>

More information about the CDP-development mailing list