Ivanti Secure Connect – Zero Day Server-Side Request Forgery Authentication Bypass & Privilege Escalation Vulnerabilities
Date of Notice: 02/08/2024
Action Level - High
Description
MCNC would like to alert you regarding a vulnerability affecting the Ivanti Secure Connect service. Two more CVEs have been reported that need to be addressed immediately: CVE-2024-21893 (SSRF) and CVE-2024-21888 (Priv-Escalation). For CVE-2024-21893, The server-side request forgery vulnerability in the gateways' SAML component enables attackers to bypass authentication and access restricted resources on vulnerable devices. For CVE-2024-21888, the Ivanti gateways' web component allows threat actors to escalate privileges to those of an administrator.
Ivanti says that they have started to see active exploitation of CVE-2024-21893 (SSRF), this is more critical of the two vulnerabilities. Ivanti also stated that for CVE-2024-21888, they have yet to see active exploitation of this in the wild.
Fixed Versions
CVE-2024-21888 and CVE-2024-21893 can be mitigated by importing the file, mitigation.release.20240126.5.xml file via the download portal. This file can be downloaded once logged in to the portal. The new versions that need to be downloaded are as follows, versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1 and 22.5R2.2.
Attack Vector
Ivanti Connect Secure VPN and IPS Network Access Control (NAC) appliances
Attack Feasibility
Since Ivanti has reported incidents of the SSRF vulnerability in the wild, the feasibility of that attack is very high. MCNC have been able to find exploit scripts such as the one below. Since this information is now publicly available, the likelihood of an attacker being able to exploit the security flaw is high. The link below is a PoC exploit script that MCNC was able to find on GitHub.
https://github.com/Chocapikk/CVE-2024-21893-to-CVE-2024-21887
Mitigation/Remediation
Immediately update Ivanti Connect Secure to a fixed/secure version.
Vendor Resources