From 1195596f9e8dd3fbd96e064022cfdc188078c7ea Mon Sep 17 00:00:00 2001
From: Maximand <max@divd.nl>
Date: Wed, 10 Jan 2024 20:42:04 +0100
Subject: [PATCH 1/4] First version casefile 2024-00001

---
 _cases/2024/DIVD-2023-00001.md | 61 ++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)
 create mode 100644 _cases/2024/DIVD-2023-00001.md

diff --git a/_cases/2024/DIVD-2023-00001.md b/_cases/2024/DIVD-2023-00001.md
new file mode 100644
index 00000000..793af016
--- /dev/null
+++ b/_cases/2024/DIVD-2023-00001.md
@@ -0,0 +1,61 @@
+---
+layout: case  
+title: "Authentication Bypass and Command Injection in Ivanti Connect Secure and Policy Secure"
+excerpt: "Ivanti warns of an authentication bypass and command injection exploited by threat actors in its Connect Secure and Policy Secure products."
+author: Max van der Horst
+lead: Lennaert Oudshoorn
+researchers:
+- Frank Breedijk
+- Lennaert Oudshoorn
+- Ralph Horn
+- Victor Pasman
+- Barre Dijkstra
+- Max van der Horst
+# You can use free text here as well. E.g. to indicate that some vulnerabilities don't have CVEs assigned (yet).
+cves:
+- CVE-2023-46805
+- CVE-2024-21887
+product: 
+- Ivanti Connect Secure
+- Ivanti Policy Secure
+versions: 
+- All supported versions
+recommendation: "While the patch is under development, apply Ivanti’s mitigation."
+patch_status: Under development
+workaround: Import the mitigation file mitigation.release.20240107.1.xml provided by Ivanti in the download portal.
+status : Open
+start: 2024-01-10
+end: 
+timeline:
+- start: 2024-01-10
+  end:
+  event: "DIVD receives signals about a vulnerability in Ivanti Pulse Connect and starts fingerprinting."
+- start: 24-01-10
+  end:
+  event: “Advisory published, DIVD starts scanning for vulnerable instances."
+#ips: 
+# ips is used for statistics after the case is closed. If it is not applicable, you can set IPs to n/a (e.g. stolen credentials)
+# This field becomes mandatory when the case status is set to 'Closed'
+---
+## Summary
+​
+An authentication bypass and command injection vulnerability were discovered in Ivanti Connect Secure and Ivanti Policy Secure. Multiple sources report active exploitation by threat actors, making immediate mitigation necessary. By combining these two vulnerabilities, threat actors are able to take complete control of the underlying system. Ivanti does not yet have a patch, which is expected to be released in the week of January 22nd. In the meantime, a mitigation is provided that can be downloaded in the Ivanti download portal. 
+​
+## What you can do
+The patch is expected to be released in the week of January 22nd. Before the release, it is crucial the provided mitigation is applied as soon as possible. The mitigation can be applied by downloading and importing mitigation.release.20240107.1.xml from the Ivanti download portal. Additionally, Volexity (see references) provided detection rules to monitor for exploitation.
+
+## What we are doing
+​DIVD is currently working to identify vulnerable instances and notify the owners of these systems. We do this by scanning for exposed Ivanti Connect Secure and Policy Secure instances, and checking the version number to determine whether the vulnerability is present. Owners of vulnerable instances receive a notification with the host information and mitigation steps.
+​
+{% comment %}  Leave this here, so we see a timeline{% endcomment %}
+{% include timeline.html %}
+​
+​
+## More information
+* [Ivanti Publication](https://www.ivanti.com/blog/security-update-for-ivanti-connect-secure-and-ivanti-policy-secure-gateways)
+* [Ivanti Security Advisory](https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US)
+* [Volexity Advice](https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/) 
+* [BleepingComputer Blogpost](https://www.bleepingcomputer.com/news/security/ivanti-warns-of-connect-secure-zero-days-exploited-in-attacks/)
+* {% cve CVE-2023-46805 %}
+* {% cve CVE-2024-21887 %}
+

From 5064af7048d8e387121b2a2533259f46f6ade342 Mon Sep 17 00:00:00 2001
From: Frank Breedijk <f.breedijk@divd.nl>
Date: Wed, 10 Jan 2024 20:58:24 +0100
Subject: [PATCH 2/4] Mijn plasje over de casefile heen.

---
 _cases/2024/DIVD-2023-00001.md | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/_cases/2024/DIVD-2023-00001.md b/_cases/2024/DIVD-2023-00001.md
index 793af016..0b83911b 100644
--- a/_cases/2024/DIVD-2023-00001.md
+++ b/_cases/2024/DIVD-2023-00001.md
@@ -20,17 +20,17 @@ product:
 - Ivanti Policy Secure
 versions: 
 - All supported versions
-recommendation: "While the patch is under development, apply Ivanti’s mitigation."
+recommendation: "While the patch is under development, apply Ivanti’s mitigation, or take the appliance offline."
 patch_status: Under development
-workaround: Import the mitigation file mitigation.release.20240107.1.xml provided by Ivanti in the download portal.
-status : Open
+workaround: Import the mitigation file mitigation.release.20240107.1.xml provided by Ivanti in the download portal or take the device offline.
+status : Case opened
 start: 2024-01-10
 end: 
 timeline:
 - start: 2024-01-10
   end:
   event: "DIVD receives signals about a vulnerability in Ivanti Pulse Connect and starts fingerprinting."
-- start: 24-01-10
+- start: 2024-01-10
   end:
   event: “Advisory published, DIVD starts scanning for vulnerable instances."
 #ips: 
@@ -38,19 +38,21 @@ timeline:
 # This field becomes mandatory when the case status is set to 'Closed'
 ---
 ## Summary
-​
-An authentication bypass and command injection vulnerability were discovered in Ivanti Connect Secure and Ivanti Policy Secure. Multiple sources report active exploitation by threat actors, making immediate mitigation necessary. By combining these two vulnerabilities, threat actors are able to take complete control of the underlying system. Ivanti does not yet have a patch, which is expected to be released in the week of January 22nd. In the meantime, a mitigation is provided that can be downloaded in the Ivanti download portal. 
-​
+ 
+An authentication bypass and a command injection vulnerability were discovered in Ivanti Connect Secure and Ivanti Policy Secure, it is present in all supported versions. Multiple sources report active exploitation by threat actors, making immediate mitigation necessary. By combining these two vulnerabilities, threat actors are able to take complete control of the underlying system. Ivanti does not yet have a patch, which is expected to be released in the week of January 22nd. In the meantime, a mitigation is provided that can be downloaded in the Ivanti download portal. 
+ 
 ## What you can do
-The patch is expected to be released in the week of January 22nd. Before the release, it is crucial the provided mitigation is applied as soon as possible. The mitigation can be applied by downloading and importing mitigation.release.20240107.1.xml from the Ivanti download portal. Additionally, Volexity (see references) provided detection rules to monitor for exploitation.
+Given that theere is active exploitation, it is crucial the provided mitigation is applied as soon as possible or that the appliance is take offline until mitigations are avilable. It is also recommended to check the appliance for sings of previous exploitation.
+The mitigation can be applied by downloading and importing mitigation.release.20240107.1.xml from the Ivanti download portal. Additionally, Volexity (see references) provided detection rules to monitor for exploitation.
+The patch is expected to be released in the week of January 22nd.
 
 ## What we are doing
-​DIVD is currently working to identify vulnerable instances and notify the owners of these systems. We do this by scanning for exposed Ivanti Connect Secure and Policy Secure instances, and checking the version number to determine whether the vulnerability is present. Owners of vulnerable instances receive a notification with the host information and mitigation steps.
-​
+DIVD is currently working to identify vulnerable instances and notify the owners of these systems. We do this by scanning for exposed Ivanti Connect Secure and Policy Secure instances, and checking the version number to determine whether the vulnerability is present. Owners of vulnerable instances receive a notification with the host information and mitigation steps.
+ 
 {% comment %}  Leave this here, so we see a timeline{% endcomment %}
 {% include timeline.html %}
-​
-​
+ 
+ 
 ## More information
 * [Ivanti Publication](https://www.ivanti.com/blog/security-update-for-ivanti-connect-secure-and-ivanti-policy-secure-gateways)
 * [Ivanti Security Advisory](https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US)

From d070b1a2463f2de72cf59d1aa0bf58c6e65cfbdc Mon Sep 17 00:00:00 2001
From: Max <25766540+Maximand@users.noreply.github.com>
Date: Wed, 10 Jan 2024 21:09:37 +0100
Subject: [PATCH 3/4] Update DIVD-2023-00001.md

---
 _cases/2024/DIVD-2023-00001.md | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/_cases/2024/DIVD-2023-00001.md b/_cases/2024/DIVD-2023-00001.md
index 0b83911b..9c01befd 100644
--- a/_cases/2024/DIVD-2023-00001.md
+++ b/_cases/2024/DIVD-2023-00001.md
@@ -23,7 +23,7 @@ versions:
 recommendation: "While the patch is under development, apply Ivanti’s mitigation, or take the appliance offline."
 patch_status: Under development
 workaround: Import the mitigation file mitigation.release.20240107.1.xml provided by Ivanti in the download portal or take the device offline.
-status : Case opened
+status : open
 start: 2024-01-10
 end: 
 timeline:
@@ -42,9 +42,7 @@ timeline:
 An authentication bypass and a command injection vulnerability were discovered in Ivanti Connect Secure and Ivanti Policy Secure, it is present in all supported versions. Multiple sources report active exploitation by threat actors, making immediate mitigation necessary. By combining these two vulnerabilities, threat actors are able to take complete control of the underlying system. Ivanti does not yet have a patch, which is expected to be released in the week of January 22nd. In the meantime, a mitigation is provided that can be downloaded in the Ivanti download portal. 
  
 ## What you can do
-Given that theere is active exploitation, it is crucial the provided mitigation is applied as soon as possible or that the appliance is take offline until mitigations are avilable. It is also recommended to check the appliance for sings of previous exploitation.
-The mitigation can be applied by downloading and importing mitigation.release.20240107.1.xml from the Ivanti download portal. Additionally, Volexity (see references) provided detection rules to monitor for exploitation.
-The patch is expected to be released in the week of January 22nd.
+Given that there is active exploitation, it is crucial the provided mitigation is applied as soon as possible or that the appliance is take offline until mitigations are available. It is also recommended to check the appliance for signs of previous exploitation. The mitigation can be applied by downloading and importing mitigation.release.20240107.1.xml from the Ivanti download portal. Additionally, Volexity (see references) provided detection rules to monitor for exploitation. The patch is expected to be released in the week of January 22nd.
 
 ## What we are doing
 DIVD is currently working to identify vulnerable instances and notify the owners of these systems. We do this by scanning for exposed Ivanti Connect Secure and Policy Secure instances, and checking the version number to determine whether the vulnerability is present. Owners of vulnerable instances receive a notification with the host information and mitigation steps.

From 346a2165e33011d4b1ff8fa0f63e578becf4b5af Mon Sep 17 00:00:00 2001
From: Max <25766540+Maximand@users.noreply.github.com>
Date: Wed, 10 Jan 2024 21:12:19 +0100
Subject: [PATCH 4/4] Update DIVD-2023-00001.md

---
 _cases/2024/DIVD-2023-00001.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/_cases/2024/DIVD-2023-00001.md b/_cases/2024/DIVD-2023-00001.md
index 9c01befd..2827cbed 100644
--- a/_cases/2024/DIVD-2023-00001.md
+++ b/_cases/2024/DIVD-2023-00001.md
@@ -33,6 +33,9 @@ timeline:
 - start: 2024-01-10
   end:
   event: “Advisory published, DIVD starts scanning for vulnerable instances."
+- start: 2024-01-10
+  end:
+  event: “Case opened, first version of this casefile."
 #ips: 
 # ips is used for statistics after the case is closed. If it is not applicable, you can set IPs to n/a (e.g. stolen credentials)
 # This field becomes mandatory when the case status is set to 'Closed'