Ivanti Connect Secure and Policy Secure Multiple Vulnerability

1. Overview

Ivanti's Connect Secure and Policy Secure are SSL VPN solutions and IPS solutions, and we have analyzed CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893 that were recently discovered in these platforms.

2. Attack Types

In January 2024, Ivanti released patches for vulnerabilities found in its Connect Secure and Policy Secure solutions.

The first patch, released on January 10, patched two vulnerabilities, CVE-2023-46805 and CVE-2024-21887, which were used to gain administrative privileges by bypassing the authentication process and upload a web shell to execute arbitrary commands.

1) CVE-2023-46805

This vulnerability is an authentication bypass vulnerability in Ivanti Connect Secure and Ivant Policy Secure solutions, where certain APIs use the ../ syntax to bypass the authentication process, allowing access and execution of the system's administrative functions.

According to Rapid7's analysis report, internal Python REST services can be accessed via the ../ syntax, taking advantage of the fact that APIs starting with /api/v1/totp/user-backup-code are not subject to authentication.

2) CVE-2024-21887

The vulnerability is an RCE vulnerability in Ivanti Connect Secure and Ivant Policy Secure solutions that could allow an authenticated attacker to send a request with arbitrary injected commands to dump memory, hijack backup files, etc.

This vulnerability, in conjunction with CVE-2023-46805, allows an authenticated attacker to bypass the authentication process to access the Python REST APIs license/keys-status/, /system/maintenance/archiving/cloud-server-test-connection API, which allows command injection, and send Python malicious code to execute commands in the arm.

3) CVE-2024-21888

On January 31, we patched two more vulnerabilities: CVE-2024-21888, a privilege escalation vulnerability that promoted a regular user to administrator privileges, and CVE-2024-21893, an SSRF vulnerability in a service that handles SAML requests.

Of these, CVE-2024-21888 is a privilege escalation vulnerability in a web component that occurred in Ivanti Connect Secure and Ivant Policy Secure solutions that could allow an ordinary user to be promoted to an administrator, but no details about the vulnerability have been released as no attacks have been reported to date.

4) CVE-2024-21893

This is an SSRF vulnerability in the Ivanti Connect Secure and Ivant Policy Secure solutions, where some of the endpoints of a service that handles SOAP-based SAML requests within those solutions have no authentication process, allowing an SSRF attack to be carried out by sending crafted XML data to those endpoints.

According to Rapid7, the endpoints of the service that handles SOAP-based SAML requests are /dana-ws/saml.ws``/dana-ws/saml20.ws``/dana-ws/samlecp.ws, of which the /dana-ws/saml20.ws endpoint has no authentication process, allowing SSRF attacks.

3. Countermeasures

Ivanti has released patches for these vulnerabilities, so you can respond by updating your Ivanti Connect Secure and Ivanti Policy Secure solutions to the latest versions that are not past EOL.

For CVE-2023-46805 and CVE-2024-21887, our AIWAF products are detecting attack syntax that exploits these vulnerabilities with the "Directory Access Detection" policy and the "Command Injection 1" pattern, and for CVE-2024-21893, the "Ivanti Connect Secure and Policy Secure SSRF" pattern included in the February 2024 pattern update.

For CVE-2024-21888, we are continuing to monitor as information about the attack is not yet publicly available.

4. Conclusion

Recently, various vulnerabilities have been discovered and reported against Ivanti's products and solutions, and most of them are easily exploitable, so it is necessary to update to the latest version as soon as possible.

In our AIWAF products, we have developed patterns for vulnerabilities in Ivanti Connect Secure and Policy Secure, and we will continue to respond quickly to related vulnerabilities as they are discovered.

5. References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46805
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21887
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21888
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21893
• https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
• https://knvd.krcert.or.kr/detailSecNo.do?IDX=6074
• https://www.rapid7.com/db/modules/exploit/linux/http/ivanti_connect_secure_rce_cve_2023_46805/
• https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis
• https://attackerkb.com/topics/FGlK1TVnB2/cve-2024-21893/rapid7-analysis