Threat actors have focused on using vulnerabilities to get access to traditional remote access technologies, like VPN concentrators, during the first quarter of 2024.
Background:
Remote access technologies are a necessary part of life in the modern world. Regretfully, hackers enjoy them just as much as your remote employees do. Remote access is here to stay due to the growth of work-from-home opportunities, the prevalence of personal devices, and an increasingly intricate and linked supply chain. There were major effects on productivity when government agencies were given 48 hours to stop using their Ivanti software, which was insecure. In the current world, connectivity is essential. How to accomplish remote access securely is the question.
Threat actors have focused especially on using vulnerabilities—both zero-days and older, unpatched flaws—to get access to traditional remote access technologies, like VPN concentrators, during the first quarter of 2024.
It has drawn attention back to a long-known issue: anything that permits remote access into your company could turn into an instrument for hackers if it is not properly secured. In order to protect your company while allowing remote access, it becomes essential to understand the major security vulnerabilities in remote access technologies such as VPN and RDP.
List of vulnerabilities exploited:
- Ivanti connect secure (CVE-2024-21887):
Midway through December 2023, Volexity noticed that UTA0178, a possible nation-state threat actor from China, was using two zero-day vulnerabilities in the VPN appliances developed by Ivanti Connect Secure (formerly known as Pulse Connect Secure) to download and alter files, create a reverse tunnel, and install webshells (GLASSTOKEN) on several web servers that were facing both internal and external users. Together, the vulnerabilities CVE-2023-46805 and CVE-2024-21887 allowed for follow-on activity and unauthenticated remote code execution (RCE) on the affected devices.
For more information please check:
https://www.hawk-eye.io/2024/02/cve-2024-21893-new-ivanti-zero-day-vulnerability-actively-exploited/
- Cisco Anyconnect Vulnerability (CVE-2020-3259):
The Akira Ransomware group may be actively making use of an outdated Cisco ASA (Adaptive Security Appliance) and FTD (Firepower Threat Defence) vulnerability identified as CVE-2020-3259, according to forensic data discovered by the Truesec CSIRT team. The vulnerability, which was made public on May 6, 2020, allows a remote, unauthenticated attacker to take control of a compromised device and retrieve confidential data from it. This implies that clear text passwords and usernames can be extracted from memory.
For more information please check:
https://www.truesec.com/hub/blog/akira-ransomware-and-exploitation-of-cisco-anyconnect-vulnerability-cve-2020-3259
- Ivanti connect & policy secure (CVE-2024-21888 & CVE-2024-21893):
High-severity vulnerabilities in Ivanti Connect Secure and Policy Secure (CVE-2024-21888 & CVE-2024-21893) could allow arbitrary code execution and privilege escalation on susceptible systems. A vulnerability identified as CVE-2024-21893 is being used in the wild.
A privilege escalation vulnerability in Ivanti Connect Secure and Ivanti Policy Secure’s online component is identified as CVE-2024-21888. If the vulnerability is successfully exploited, the attacker might be able to increase their privileges to administrator level.
Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA’s SAML component contains a server-side request forgery vulnerability, identified as CVE-2024-21893. By taking advantage of the vulnerability, an attacker could gain unauthenticated access to particular restricted resources.
For more information please check:
https://www.hawk-eye.io/2024/02/cve-2024-21893-new-ivanti-zero-day-vulnerability-actively-exploited/
- Fortigate SSL VPN (CVE-2023-27997):
CVE-2023-27997 is a critical heap buffer overflow vulnerability in the SSL-VPN pre-authentication module of Fortinet’s FortiOS. Its exploitation allows excess data to overflow from an allocated memory block into adjacent memory blocks in the heap, making it possible to execute arbitrary code enforcing malicious program behavior.
For more information please check:
https://www.fortiguard.com/psirt/FG-IR-23-097
- Fortinet FortiOS/FortiProxy (CVE-2024-21762):
With a CVSS score of 9.6, the vulnerability known as CVE-2024-21762 is caused by incorrect parameter validation in the FortiOS SSL-VPN. By using specifically designed HTTP requests, a remote, unauthenticated attacker can exploit it and cause bytes to be copied over the buffer’s limit. This can lead to memory corruption and process flow redirection, which can make it possible for arbitrary code or commands to be executed.
For more information please check:
https://www.hawk-eye.io/2024/02/cve-2024-21762-critical-fortinet-fortios-vulnerability/
- Ivanti connect & policy secure (CVE-2024-22024):
A newly discovered high-rated vulnerability, identified as CVE-2024-22024, affects the software packages Ivanti Connect Secure and Ivanti Policy Secure. Devices can be connected to virtual private networks (VPNs) using this software. By delivering deliberately constructed XML files, a remote attacker would be able to access internal files. The fact that there is a known, publicly accessible exploit makes the matter more worrisome.
For more information please check:
https://forums.ivanti.com/s/article/CVE-2024-22024-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US
- Palo Alto firewall Pan-OS (CVE-2024-3400):
CVE-2024-3400 is a critical command injection vulnerability. The vulnerability allows attackers to remotely execute root-privileged commands in Palo Alto firewalls. Given the potential consequences, companies ought to patch their vulnerable PAN-OS software as soon as feasible.
For more information please check:
https://www.hawk-eye.io/2024/05/cve-2024-3400-palo-alto-pan-os-command-injection-vulnerability/
- Cisco ASA and FTD (CVE-2024-20353 and CVE-2024-20359):
Denial-of-Service (DoS) vulnerability CVE-2024-20353 enables an unauthenticated remote attacker to trigger an unexpected device reload, resulting in a DoS condition.
CVE-2024-20359: Persistent Local Code Execution – Provides administrator-level privileges and enables a local, authenticated attacker to run any code with root-level access.
For more information please check:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-rce-FLsNXF4h
- Checkpoint security gateways (CVE-2024-24919):
Check Point revealed an arbitrary file read vulnerability impacting Check Point Security Gateways on May 28th, 2024. With a CVSS score of 8.6 (High), CVE-2024-24919 gives attackers root capabilities over susceptible goods, enabling them to view sensitive files. A vulnerability known as CVE-2024-24919 allows adversaries to execute code remotely without authorization if the certificate authentication is not enabled.
For more information please check:
https://www.hawk-eye.io/2024/06/cve-2024-24919-check-point-security-gateways-zero-day-vulnerability/
Recommendations:
Please follow the patching instructions for these vulnerabilities by checking the Advisories mentioned in the links above.