SmartWorks Network

  • Home
  • RSS Blog
  • YouTube channels
  • Podcasts
  • Jobs
  • Tools
  • About us
  • Contact

Cyble Global Sensors pick up persistent exploitation of Ivanti Connect Secure Vulnerabilities

by Valentin / Friday, 19 January 2024 / Published in RSS blog posts

Cyber Security BlogsCyble Global Sensors pick up persistent exploitation of Ivanti Connect Secure Vulnerabilities Introduction

Cyble Global Sensor Intelligence (CGSI) has detected the continuous exploitation of recently revealed vulnerabilities in Ivanti Connect Secure (ICS), previously known as Pulse Connect Secure and Ivanti Policy Secure gateways.

Ivanti issued a security alert on January 10, 2024, addressing vulnerabilities found in Ivanti Connect Secure (ICS), formerly named Pulse Connect Secure and Ivanti Policy Secure gateways. The official vendor’s alert outlines two vulnerabilities, namely CVE-2023-46805 and CVE-2024-21887. When CVE-2024-21887 is combined with CVE-2023-46805, unauthorized exploitation becomes possible without authentication. This allows a Threat Actor (TA) to create malicious requests, leading to the execution of arbitrary commands on the system. The Cybersecurity and Infrastructure Security Agency (CISA), in its recent advisory, also warned about these vulnerabilities.

On the same day, Volexity revealed instances of real-world exploitation of the previous two vulnerabilities, facilitating unauthenticated remote code execution on Ivanti Connect Secure VPN devices. The TA utilized these exploits to exfiltrate configuration data, alter existing files, retrieve remote files, and establish a reverse tunnel from the ICS VPN appliance.

We also came across a post on a cybercrime forum wherein a Threat Actor (TA) offered a 1-day exploit for sale at USD 30,000. The posting date, November 16, 2024, indicates the TA’s potential engagement in exploiting vulnerabilities well before the exploit became publicly accessible.

The TA claimed that although a publicly known proof-of-concept (PoC) is available, the vulnerability is yet to be tested in real time. However, the TA called off the sale, stating that Ivanti has rolled out workarounds to mitigate the vulnerabilities.

Figure 1 – Post on Cybercrime ForumVulnerability Details Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability CVE-2023-46805 CVSS:3.1:

8.5

Severity:

High

Vulnerable Versions:

Ivanti ICS 9.x, 22.x

Description:

An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x, and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

  Ivanti Connect Secure and Policy Secure Command Injection Vulnerability CVE-2024-21887 CVSS:3.1:

 9.1

Severity:

Critical

Vulnerable Versions:

Ivanti ICS 9.x, 22.x

Description:

A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Ivanti Pulse Secure Exposure Instances

According to the Cyble ODIN scanner, there are over 10,000 internet-exposed instances of Pulse Secure, with the majority of these instances located in the United States and Japan, as illustrated in the figure below.

Figure 2 – Countries with the Highest number of Internet-exposed Pulse Secure InstancesTechnical Details

Cyble Global Sensor Intelligence (CGSI) has captured multiple instances of scanning attempts associated with the active exploitation of recently revealed vulnerabilities impacting Ivanti Pulse Connect Secure, as shown in the figure below. These vulnerabilities are CVE-2023-46805, involving Authentication Bypass, and CVE-2024-21887, which allows for Remote Command Execution.

Figure 3 – Ivanti Scanning Attempts Captured By CGSICVE-2023-46805 – Authentication Bypass vulnerability

According to Ivanti’s documentation on mitigation, the vulnerability affects automation systems that rely on REST APIs for configuration and monitoring. In response, researchers initiated an investigation from this standpoint to understand and potentially exploit the vulnerability within their environment.

The process started with an initial search for “restservice” packages, and several API endpoints were discovered. Subsequently, researchers employed Burp Intruder to assess the accessibility of these identified endpoints without authentication. However, they were able to identify only two endpoints that were accessible without authentication, as shown below:

Figure 4 – Identified vulnerable endpoints (Source: Assetnote)

To confirm this finding, an attempt was made to access it through “/api/v1/totp/user-backup-code” using path traversal, which allows TAs to navigate outside the intended directory structure and access files or directories that they should not be able to reach. The below image shows the scanning attempt using path traversal from our CGSI.

Figure 5 – Path Traversal

The TAs will then have access to other resources located at the endpoint and can initiate the search for a relevant authenticated command injection vulnerability. This will enable the TAs to achieve the unauthenticated Remote Code Execution (RCE).

CVE-2024-21887 Command Injection vulnerability

Upon obtaining access to the identified endpoint, the TAs can start searching for an appropriate authenticated command injection vulnerability.

The subsequent task involves identifying a susceptible function call that allows the creation of a child process with caller-supplied arguments. Such function calls are frequently the source of command injection vulnerabilities.

To accomplish this, researchers identified the “get” method in the file “restservice/api/resources/license.py,” which manages requests associated with the endpoint “/api/v1/license/keys-status.” The vulnerable code snippet is provided below.

Figure 6 – Vulnerable snippet from an endpoint (Source: Assetnote)

If an attacker can provide any arbitrary value for “node_name” in the aforementioned script, a successful command injection can be accomplished. The below image shows a curl request to a remote server captured from our CGSI.

Figure 7 – Curl request to a remote server captured in our CGSIConclusion

The ongoing exploitation of the Ivanti product range underscores the continuous efforts by Threat Actors (TAs) to target vulnerable internet-exposed applications like VPN applications and firewalls. Customers using outdated versions are advised to examine potential indicators of compromise and implement the workarounds recommended by the official vendor.

Patches for supported versions are scheduled to be released incrementally, with the initial version expected to be accessible for customers in the week starting January 22. The final version is scheduled to be available in the week commencing February 19. Instructions detailing the process of upgrading to a supported version will also be furnished.

Our Recommendations

Here are our recommended measures to enhance protection against such attacks:

Follow mitigation strategies suggested by the official vendor. CVE-2023-46805 and CVE-2024-21887 can be mitigated by importing the mitigation.release.20240107.1.xml file via the download portal.

Implement necessary mitigations and apply patches as recommended by vendors to fortify your organization’s cybersecurity infrastructure.

Maintain vigilance by regularly monitoring vendor websites, security advisories, and mailing lists to stay abreast of the latest patches and vulnerabilities associated with the applications you employ.

Leverage vulnerability scanning tools to detect potential security weaknesses in your systems and applications. These tools prove invaluable in identifying vulnerabilities that necessitate immediate patching.

Establish a well-organized patch management process incorporating a clearly defined schedule for regular updates and patches. Prioritize the deployment of critical security patches.

Bolster security by isolating critical systems or sensitive data in a network segment that is not directly accessible from the internet. This approach helps diminish the attack surface and mitigate the potential impact of vulnerabilities.

Strengthen your network security posture by implementing security measures such as firewalls, intrusion detection systems, and intrusion prevention systems. These tools play a crucial role in monitoring and safeguarding your network against potential threats.

References

https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/

https://www.assetnote.io/resources/research/high-signal-detection-and-exploitation-of-ivantis-pulse-connect-secure-auth-bypass-rce

https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis?referrer=etrblog

The post Cyble Global Sensors pick up persistent exploitation of Ivanti Connect Secure Vulnerabilities appeared first on Cyble.

​Read More

  • Tweet

About Valentin

What you can read next

Get a Lifetime of 1TB Cloud Storage for Only $80 With FolderFort
Lessons from SEC’s X account hack – Week in security with Tony Anscombe
Why Prioritizing Digital Security Matters

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recent Posts

  • Sniffnet: Free, open-source network monitoring
  • 90% of threats are social engineering
  • 78% of SMBs fear cyberattacks could shut down their business
  • Chinese attackers leverage previously unseen malware for espionage
  • Long-running Chinese cyberespionage operation targeted Southeast Asian government

Recent Comments

No comments to show.

Recent Posts

  • Sniffnet: Free, open-source network monitoring

    Cyber Security Blogs Sniffnet is a free, open-s...
  • 90% of threats are social engineering

    Cyber Security Blogs In this Help Net Security ...
  • 78% of SMBs fear cyberattacks could shut down their business

    Cyber Security Blogs 94% of SMBs have experienc...
  • Chinese attackers leverage previously unseen malware for espionage

    Cyber Security Blogs Sophos released its report...
  • Long-running Chinese cyberespionage operation targeted Southeast Asian government

    Cyber Security Blogs Researchers have uncovered...

Archives

  • June 2024
  • May 2024
  • March 2024
  • January 2024

Categories

  • RSS blog posts

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Recent Comments

    Featured Posts

    • Sniffnet: Free, open-source network monitoring

      0 comments
    • 90% of threats are social engineering

      0 comments
    • 78% of SMBs fear cyberattacks could shut down their business

      0 comments
    • Chinese attackers leverage previously unseen malware for espionage

      0 comments
    • Long-running Chinese cyberespionage operation targeted Southeast Asian government

      0 comments

    SEARCH

    RECENT POSTS

    • Sniffnet: Free, open-source network monitoring

    • 90% of threats are social engineering

    • 78% of SMBs fear cyberattacks could shut down their business

    TAG CLOUD

    ©2024 All rights Reserved @Smart Works Network

    TOP