[CDP-development] TLP:CLEAR - UPDATED (Zero-Day Alert Notification) CVE-2024-21887, CVE-2023-46805, CVE-2024-21888, & CVE-2024-21893 Ivanti Connect Secure and Policy Secure Command Injection, Authentication Bypass, & Privilege Escalation
CSS Security Operations Services * DAS
css-soc-services at das.oregon.gov
Wed Jan 31 15:06:21 PST 2024
Good afternoon,
The previous alert has been updated. Updated information has been added in red.
The SOC Services team is reporting on the vulnerability: CVE-2024-21887 & CVE-2023-46805 Ivanti Connect Secure and Policy Secure Command Injection & Authentication Bypass. Two additional vulnerabilities were also disclosed: CVE-2024-21888 & CVE-2024-21893 Privilege Escalation for Ivanti Connect Secure and Ivanti Policy Secure. Due to its high visibility and active exploitations, we are providing this in-depth information:
History: On January 10, 2024 Ivanti published mitigation guidance around two vulnerabilities for Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure and Policy Secure gateways). CVE-2024-21887 is a command injection vulnerability and is currently assigned a CVSSv3 rating of 9.1 (Critical), while CVE-2023-46805 is an authentication bypass vulnerability and is currently assigned a CVSSv3 rating of 8.2 (High). CVEs were established on January 10, 2024 and CISA added the vulnerabilities to their list of Known Exploited Vulnerabilities on the same date.
On January 31, 2024 Ivanti published an additional security article disclosing two newly detected vulnerabilities in their ICS products. CVE-2024-21888 is a privilege escalation vulnerability in web component of Ivanti Connect Secure and is currently assigned a CVSSv3 rating of 8.8 (High), while CVE-2024-21893 is a server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure and is currently assigned a CVSSv3 rating of 8.2 (High). These CVEs were established on January 31, 2024, and CISA added CVE-2024-21893 to their list of Known Exploited Vulnerabilities on the same date.
The following products are affected:
* Version 9.x
* Version 22.x
Ivanti has released the following patches to address all known vulnerabilities:
* Version 9.1R14.4
* Version 9.1R17.2
* Version 9.1R18.3
* Version 22.4R2.2
* Version 22.5R1.1
* ZTA Version 22.6R1.3
Ivanti reports that remaining supported versions will be patched in a staggered schedule.
Further information is available from Ivanti as published in their security announcement:
* Ivanti Announcement on CVE-2024-21887 & CVE-2023-46805 - https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
* Ivanti Security Article on CVE-2024-21888 & CVE-2024-21893 - https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US
Intelligence: As of January 31, 2024, Ivanti and CISA are aware that CVE-2024-21893 has had targeted exploitation, while CVE-2024-2188 and CVE-2023-46805 have had widespread exploitation. It is very likely that these exploits will continue to be leveraged by threat actors over the coming months.
Workarounds: Ivanti has provided mitigation information for cases where a patch cannot be applied, however patching is strongly recommended. If a customer has applied the patch, no mitigation steps are needed.
Instead of applying the provided patch, Ivanti recommends that critical mitigation measures be taken, including the following:
* Import the configuration file provide by Ivanti's download portal "mitigation.release.20240107.1.xml"
* This may impact or degrade features of Ivanti Connect Secure and Ivanti Policy Secure.
* Run the external integrity checker in addition to continuous monitoring.
Further information about mitigation steps can be found in Ivanti's KB article - https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
How it works: At this time, little public information has been published by Ivanti. However, attacks have been observed using both CVEs. CVE-2023-46805 can allow an attacker to bypass authentication and gain access to restricted resources by bypassing control checks. CVE-2024-21887 can allow an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. However, if used in conjunction together, CVE-2024-21887 does not require authentication. CVE-2024-21893 can allow an unauthenticated attacker to achieve privilege escalation and gain access to restricted resources.
Post-Exploit: Upon successful exploitation of the vulnerabilities, attackers have been observed placing webshells on internal and external facing web servers, wiping and disabling ICS VPN logs, modifying ICS components to evade ICS integrity checks, backdooring a legitimate CGI file to allow command execution, and modifying a JS file used by the Web SSL VPN component as a means to exfiltrate user credentials. After exfiltration, attackers were then observed to gain access to systems on the network.
The following IOCs have been provided:
* Network traffic from ICS VPN appliances:
* Outbound connections via curl to IP Geolocation service ip-api[.]com and to Cloudflare (1.1.1.1)
* Reverse SOCKS proxy and SSH tunnel connections through Cyberoam appliances with download.
* Reconnaissance of internal websites through proxied connections.
* Lateral movement using compromised credentials to connect to internal systems via RDP, SMB, and SSH.
* Transfer of multiple webshell variants to internet-accessible web servers and systems that were only internally accessible.
* Suspected domains and IP addresses:
* 206.189.208.156
* gpoaccess[.]com
* webb-institute[.]com
* symantke[.]com
* 75.145.243.85
* 47.207.9.89
* 98.160.48.170
* 173.220.106.166
* 73.128.178.221
* 50.243.177.161
* 50.213.208.89
* 64.24.179.210
* 75.145.224.109
* 50.215.39.49
* 71.127.149.194
* 173.53.43.7
* Modifications to the following files on the appliance:
* /home/perl/DSLogConfig.pm
* /home/etc/sql/dsserver/sessionserver.pl
* /home/etc/sql/dsserver/sessionserver.sh
* /home/webserver/htdocs/dana-na/auth/compcheckresult.cgi
* /home/webserver/htdocs/dana-na/auth/lastauthserverused.js
* Creation and execution of the following files from the /tmp/ directory:
* /tmp/rev
* /tmp/s.py
* /tmp/s.jar
* /tmp/b
* /tmp/kill
* Deployment of malware and utilizing living off the land techniques.
As of January 27, 2024, the following vulnerability plugins have been released and are currently in Tenable Security Center:
Plugin
Title
Severity
187908<https://www.tenable.com/plugins/nessus/187908>
Ivanti Connect Secure 9.x / 22.x Multiple Vulnerabilities (CVE-2023-46805 and CVE-2024-21887)
Critical
114165<https://www.tenable.com/plugins/was/114165>
Ivanti Pulse Connect Secure 9.x / 22.x Authentication Bypass
Critical
Recommended Actions:
* Review logs for unexpected or anomalous activity.
* Scan environments using provided Tenable Nessus plugins.
* Apply patches provided by vendor to vulnerable systems upon release and immediately after appropriate testing.
* Apply mitigations where needed as provided by vendor to vulnerable systems immediately after appropriate testing.
* Apply the Principle of Least Privilege to all systems and services.
[cid:image001.png at 01DA5453.ABD5B860]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable and secure state technology systems that serve Oregonians."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240131/44bdc587/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240131/44bdc587/attachment-0001.png>
More information about the CDP-development
mailing list