- January 24, 2024
- Beazley Security Labs
Ivanti Critical Vulnerabilities Under Active Exploitation (CVE-2023-46805, CVE-2024-21887)
On January 10th, 2024, Ivanti published a vulnerability report for two products: Ivanti Connect Secure and Ivanti Policy Secure Gateways. The two vulnerabilities (CVE-2023-46805, CVE-2024-21887) are reported to be under active exploitation at this time, according to joint reporting from Volexity who discovered the attacks.
Executive Summary
On January 10th, 2024, Ivanti published a vulnerability report for two products: Ivanti Connect Secure and Ivanti Policy Secure Gateways. The two vulnerabilities (CVE-2023-46805, CVE-2024-21887) are reported to be under active exploitation at this time, according to joint reporting from Volexity who discovered the attacks.
The vulnerabilities are an authentication bypass and a command injection; thus, when used together allow a remote, unauthenticated attacker to execute arbitrary commands on the target.
As of this writing, Ivanti does not have a formal patch released, but did publish a workaround that can be applied manually.
Affected Systems or Products
The following products are reported vulnerable, according to Ivanti.
Ivanti Connect Secure (ICS) Gateway, versions 9.x and 22.x
Ivanti Policy Secure Gateway, versions 9.x and 22.x
Mitigations / Workarounds
At time of writing, Ivanti is still developing a full product patch. In the meantime, they have provided a mitigation that can be manually applied after downloaded from them. At the time of writing, we see a reference to the manual file fix but cannot see either the file or instructions at the link they provide. Lodestone will continue to monitor for updates.
This is an evolving situation, and the most current updates can be monitored on their KB article found here.
Patches
At time of writing, a vendor supplied patch is unavailable.
Indicators of Compromise
Volexity published IOCs found in the initial discovery of these vulnerabilities. You can find details in there report here. Below is a quick summary list:
Files Created
/home/perl/DSLogConfig.pm
/home/etc/sql/dsserver/sessionserver.pl
/home/etc/sql/dsserver/sessionserver.sh
/home/webserver/htdocs/dana-na/auth/compcheckresult.cgi
/home/webserver/htdocs/dana-na/auth/lastauthserverused.js
Files executed
/tmp/rev
/tmp/s.py
/tmp/s.jar
/tmp/b
/tmp/kill
IPs
206.189.208[.]156
75.145.243[.]85
47.207.9[.]89
98.160.48[.]170
173.220.106[.]166
73.128.178[.]221
50.243.177[.]161
50.213.208[.]89
64.24.179[.]210
75.145.224[.]109
50.215.39[.]49
71.127.149[.]194
173.53.43[.]7
Domains
gpoaccess[.]com
webb-institute[.]com
symantke[.]com
How Beazley Security is responding
Beazley Security is monitoring client perimeter devices discovered by our Attack Surface Management Solution, Karma, to identify potentially impacted devices and support organizations in remediation of any issues found.