CVE-2024-21893: New Ivanti Zero-Day Vulnerability Actively Exploited
Employees, partners, and clients may access business data and apps securely and under control with the help of Ivanti Connect Secure, a VPN solution. It allows mobile and remote employees to access company resources from any web-enabled device.
Background
Access is granted to approved and secure users and devices via the network access control (NAC) solution Ivanti Policy Secure (IPS). The endpoint’s security compliance and user identity are ascertained by means of a central policy management server.
High-severity vulnerabilities in Ivanti Connect Secure and Policy Secure (CVE-2024-21888 & CVE-2024-21893) discovered on 31st Jan 2024, could allow arbitrary code execution and privilege escalation on susceptible systems. A vulnerability identified as CVE-2024-21893 is being used in the wild. Ivanti stated in the advice that they know of a small number of clients who have experienced the problem.
CVE-2024-21888
This is a privilege escalation vulnerability present in Ivanti Policy Secure and Ivanti Connect Secure’s online component. If the vulnerability is successfully exploited, the attacker might be able to elevate their privileges to the administrator level.
CVE-2024-21893
This is a vulnerability in the SAML part of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA that allows for server-side request forgery. An attacker could gain unauthenticated access to restricted resources by taking advantage of the vulnerability.
Affected Versions
The vulnerability affects Ivanti Connect Secure and Policy Secure versions 9.x and 22.x.
Public Exploitation
Ivanti reported at the time of the disclosure that while CVE-2024-21893 had affected a small number of customers, there was no proof that CVE-2024-21888 had any effect on customers.
Ivanti said that it looks like CVE-2024-21893 is being intentionally exploited. After the vulnerability’s specifics are made public, the company anticipates a rise in exploitation attempts. CISA has added CVE-2024-21893 to its KEV Catalog in the interim to alert agencies to potential exploitation and compel them to take corrective measures.
Mitigation
Ivanti made the latest patches available through the standard download page. At now, patches are accessible for the subsequent versions:
Ivanti Connect Secure:
- 9.1R14.4
- 9.1R17.2
- 9.1R18.3
- 22.4R2.2
- 22.5R1.1
ZTA:
- 22.6R1.3
Ivanti said that patches for the remaining supported versions will be applied gradually and that a new mitigation is also accessible for download.
Ivanti also advise all customers to perform a factory reset on their appliance before applying the patch to prevent the threat actor from establishing upgrade persistence in their environment. In the past, Ivanti have observed that this threat actor is attempting to establish persistence in customers’ environments, which is why they are suggesting this action as a best practice for all customers.
Workaround:
Customers who have applied the patch do not need to implement the mitigation; however, if the mitigation was applied before the patch, it can be removed afterward using the provided XML. The XML for removing the mitigation is available in the standard download portal. To address specific vulnerabilities, customers can import the mitigation.release.20240126.5.xml file. Ivanti has introduced a new mitigation for gateways, prioritizing customer interests by providing it while remaining patches are developed.
Reference:
https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US