Cyble Global Sensors pick up persistent exploitation of Ivanti Connect Secure Vulnerabilities

Introduction

Cyble Global Sensor Intelligence (CGSI) has detected the continuous exploitation of recently revealed vulnerabilities in Ivanti Connect Secure (ICS), previously known as Pulse Connect Secure and Ivanti Policy Secure gateways.

Ivanti issued a security alert on January 10, 2024, addressing vulnerabilities found in Ivanti Connect Secure (ICS), formerly named Pulse Connect Secure and Ivanti Policy Secure gateways. The official vendor’s alert outlines two vulnerabilities, namely CVE-2023-46805 and CVE-2024-21887. When CVE-2024-21887 is combined with CVE-2023-46805, unauthorized exploitation becomes possible without authentication. This allows a Threat Actor (TA) to create malicious requests, leading to the execution of arbitrary commands on the system. The Cybersecurity and Infrastructure Security Agency (CISA), in its recent advisory, also warned about these vulnerabilities.

On the same day, Volexity revealed instances of real-world exploitation of the previous two vulnerabilities, facilitating unauthenticated remote code execution on Ivanti Connect Secure VPN devices. The TA utilized these exploits to exfiltrate configuration data, alter existing files, retrieve remote files, and establish a reverse tunnel from the ICS VPN appliance.

We also came across a post on a cybercrime forum wherein a Threat Actor (TA) offered a 1-day exploit for sale at USD 30,000. The posting date, November 16, 2024, indicates the TA’s potential engagement in exploiting vulnerabilities well before the exploit became publicly accessible.

The TA claimed that although a publicly known proof-of-concept (PoC) is available, the vulnerability is yet to be tested in real time. However, the TA called off the sale, stating that Ivanti has rolled out workarounds to mitigate the vulnerabilities.

Figure 1 – Post on Cybercrime Forum

Vulnerability Details

Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability

CVE-2023-46805

CVSS:3.1:

8.5

Severity:

High

Vulnerable Versions:

Ivanti ICS 9.x, 22.x

Description:

An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x, and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

 

Ivanti Connect Secure and Policy Secure Command Injection Vulnerability

CVE-2024-21887

CVSS:3.1:

 9.1

Severity:

Critical

Vulnerable Versions:

Ivanti ICS 9.x, 22.x

Description:

A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Ivanti Pulse Secure Exposure Instances

According to the Cyble ODIN scanner, there are over 10,000 internet-exposed instances of Pulse Secure, with the majority of these instances located in the United States and Japan, as illustrated in the figure below.

Figure 2 – Countries with the Highest number of Internet-exposed Pulse Secure Instances

Technical Details

Cyble Global Sensor Intelligence (CGSI) has captured multiple instances of scanning attempts associated with the active exploitation of recently revealed vulnerabilities impacting Ivanti Pulse Connect Secure, as shown in the figure below. These vulnerabilities are CVE-2023-46805, involving Authentication Bypass, and CVE-2024-21887, which allows for Remote Command Execution.

Figure 3 – Ivanti Scanning Attempts Captured By CGSI

CVE-2023-46805 – Authentication Bypass vulnerability

According to Ivanti’s documentation on mitigation, the vulnerability affects automation systems that rely on REST APIs for configuration and monitoring. In response, researchers initiated an investigation from this standpoint to understand and potentially exploit the vulnerability within their environment.

The process started with an initial search for “restservice” packages, and several API endpoints were discovered. Subsequently, researchers employed Burp Intruder to assess the accessibility of these identified endpoints without authentication. However, they were able to identify only two endpoints that were accessible without authentication, as shown below:

Figure 4 – Identified vulnerable endpoints (Source: Assetnote)

To confirm this finding, an attempt was made to access it through “/api/v1/totp/user-backup-code” using path traversal, which allows TAs to navigate outside the intended directory structure and access files or directories that they should not be able to reach. The below image shows the scanning attempt using path traversal from our CGSI.

Ivanti
Figure 5 – Path Traversal

The TAs will then have access to other resources located at the endpoint and can initiate the search for a relevant authenticated command injection vulnerability. This will enable the TAs to achieve the unauthenticated Remote Code Execution (RCE).

CVE-2024-21887 Command Injection vulnerability

Upon obtaining access to the identified endpoint, the TAs can start searching for an appropriate authenticated command injection vulnerability.

The subsequent task involves identifying a susceptible function call that allows the creation of a child process with caller-supplied arguments. Such function calls are frequently the source of command injection vulnerabilities.

To accomplish this, researchers identified the “get” method in the file “restservice/api/resources/license.py,” which manages requests associated with the endpoint “/api/v1/license/keys-status.” The vulnerable code snippet is provided below.

Ivanti
Figure 6 – Vulnerable snippet from an endpoint (Source: Assetnote)

If an attacker can provide any arbitrary value for “node_name” in the aforementioned script, a successful command injection can be accomplished. The below image shows a curl request to a remote server captured from our CGSI.

Figure 7 – Curl request to a remote server captured in our CGSI

Conclusion

The ongoing exploitation of the Ivanti product range underscores the continuous efforts by Threat Actors (TAs) to target vulnerable internet-exposed applications like VPN applications and firewalls. Customers using outdated versions are advised to examine potential indicators of compromise and implement the workarounds recommended by the official vendor.

Patches for supported versions are scheduled to be released incrementally, with the initial version expected to be accessible for customers in the week starting January 22. The final version is scheduled to be available in the week commencing February 19. Instructions detailing the process of upgrading to a supported version will also be furnished.

Our Recommendations

Here are our recommended measures to enhance protection against such attacks:

  • Follow mitigation strategies suggested by the official vendor. CVE-2023-46805 and CVE-2024-21887 can be mitigated by importing the mitigation.release.20240107.1.xml file via the download portal.
  • Implement necessary mitigations and apply patches as recommended by vendors to fortify your organization’s cybersecurity infrastructure.
  • Maintain vigilance by regularly monitoring vendor websites, security advisories, and mailing lists to stay abreast of the latest patches and vulnerabilities associated with the applications you employ.
  • Leverage vulnerability scanning tools to detect potential security weaknesses in your systems and applications. These tools prove invaluable in identifying vulnerabilities that necessitate immediate patching.
  • Establish a well-organized patch management process incorporating a clearly defined schedule for regular updates and patches. Prioritize the deployment of critical security patches.
  • Bolster security by isolating critical systems or sensitive data in a network segment that is not directly accessible from the internet. This approach helps diminish the attack surface and mitigate the potential impact of vulnerabilities.
  • Strengthen your network security posture by implementing security measures such as firewalls, intrusion detection systems, and intrusion prevention systems. These tools play a crucial role in monitoring and safeguarding your network against potential threats.

References

https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/

https://www.assetnote.io/resources/research/high-signal-detection-and-exploitation-of-ivantis-pulse-connect-secure-auth-bypass-rce

https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis?referrer=etrblog

The post Cyble Global Sensors pick up persistent exploitation of Ivanti Connect Secure Vulnerabilities appeared first on Cyble.