02.08.2024

Ivanti Secure Connect – Zero Day Server-Side Request Forgery Authentication Bypass & Privilege Escalation Vulnerabilities

Alert
  • facebook share link
  • twitter share link
  • linkedin share link
  • mail share link

Date of Notice: 02/08/2024

Action Level - High

Description

MCNC would like to alert you regarding a vulnerability affecting the Ivanti Secure Connect service. Two more CVEs have been reported that need to be addressed immediately: CVE-2024-21893 (SSRF) and CVE-2024-21888 (Priv-Escalation). For CVE-2024-21893, The server-side request forgery vulnerability in the gateways' SAML component enables attackers to bypass authentication and access restricted resources on vulnerable devices. For CVE-2024-21888, the Ivanti gateways' web component allows threat actors to escalate privileges to those of an administrator.

Ivanti says that they have started to see active exploitation of CVE-2024-21893 (SSRF), this is more critical of the two vulnerabilities. Ivanti also stated that for CVE-2024-21888, they have yet to see active exploitation of this in the wild.

Fixed Versions

CVE-2024-21888 and CVE-2024-21893 can be mitigated by importing the file, mitigation.release.20240126.5.xml file via the download portal. This file can be downloaded once logged in to the portal. The new versions that need to be downloaded are as follows, versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1 and 22.5R2.2.

https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US

Attack Vector

Ivanti Connect Secure VPN and IPS Network Access Control (NAC) appliances

Attack Feasibility 

Since Ivanti has reported incidents of the SSRF vulnerability in the wild, the feasibility of that attack is very high. MCNC have been able to find exploit scripts such as the one below. Since this information is now publicly available, the likelihood of an attacker being able to exploit the security flaw is high. The link below is a PoC exploit script that MCNC was able to find on GitHub.

https://github.com/Chocapikk/CVE-2024-21893-to-CVE-2024-21887

Mitigation/Remediation

Immediately update Ivanti Connect Secure to a fixed/secure version.

Vendor Resources

https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

<-- Return to Cybersecurity Alerts...

MCNC
PO Box 12889
3021 East Cornwallis Road
RTP, NC 27709-2889
919-248-1900 Phone | 919-248-1101 Fax
Connect With Us
  • linkedin
  • instagram
  • twitter
  • facebook
  • youtube
© 2024 MCNC