Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

First version casefile 2024-00001 #701

Merged
merged 4 commits into from
Jan 10, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 64 additions & 0 deletions _cases/2024/DIVD-2023-00001.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
---
layout: case
title: "Authentication Bypass and Command Injection in Ivanti Connect Secure and Policy Secure"
excerpt: "Ivanti warns of an authentication bypass and command injection exploited by threat actors in its Connect Secure and Policy Secure products."
author: Max van der Horst
lead: Lennaert Oudshoorn
researchers:
- Frank Breedijk
- Lennaert Oudshoorn
- Ralph Horn
- Victor Pasman
- Barre Dijkstra
- Max van der Horst
# You can use free text here as well. E.g. to indicate that some vulnerabilities don't have CVEs assigned (yet).
cves:
- CVE-2023-46805
- CVE-2024-21887
product:
- Ivanti Connect Secure
- Ivanti Policy Secure
versions:
- All supported versions
recommendation: "While the patch is under development, apply Ivanti’s mitigation, or take the appliance offline."
patch_status: Under development
workaround: Import the mitigation file mitigation.release.20240107.1.xml provided by Ivanti in the download portal or take the device offline.
status : open
start: 2024-01-10
end:
timeline:
- start: 2024-01-10
end:
event: "DIVD receives signals about a vulnerability in Ivanti Pulse Connect and starts fingerprinting."
- start: 2024-01-10
end:
event: “Advisory published, DIVD starts scanning for vulnerable instances."
- start: 2024-01-10
end:
event: “Case opened, first version of this casefile."
#ips:
# ips is used for statistics after the case is closed. If it is not applicable, you can set IPs to n/a (e.g. stolen credentials)
# This field becomes mandatory when the case status is set to 'Closed'
---
## Summary

An authentication bypass and a command injection vulnerability were discovered in Ivanti Connect Secure and Ivanti Policy Secure, it is present in all supported versions. Multiple sources report active exploitation by threat actors, making immediate mitigation necessary. By combining these two vulnerabilities, threat actors are able to take complete control of the underlying system. Ivanti does not yet have a patch, which is expected to be released in the week of January 22nd. In the meantime, a mitigation is provided that can be downloaded in the Ivanti download portal.

## What you can do
Given that there is active exploitation, it is crucial the provided mitigation is applied as soon as possible or that the appliance is take offline until mitigations are available. It is also recommended to check the appliance for signs of previous exploitation. The mitigation can be applied by downloading and importing mitigation.release.20240107.1.xml from the Ivanti download portal. Additionally, Volexity (see references) provided detection rules to monitor for exploitation. The patch is expected to be released in the week of January 22nd.

## What we are doing
DIVD is currently working to identify vulnerable instances and notify the owners of these systems. We do this by scanning for exposed Ivanti Connect Secure and Policy Secure instances, and checking the version number to determine whether the vulnerability is present. Owners of vulnerable instances receive a notification with the host information and mitigation steps.

{% comment %} Leave this here, so we see a timeline{% endcomment %}
{% include timeline.html %}


## More information
* [Ivanti Publication](https://www.ivanti.com/blog/security-update-for-ivanti-connect-secure-and-ivanti-policy-secure-gateways)
* [Ivanti Security Advisory](https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US)
* [Volexity Advice](https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/)
* [BleepingComputer Blogpost](https://www.bleepingcomputer.com/news/security/ivanti-warns-of-connect-secure-zero-days-exploited-in-attacks/)
* {% cve CVE-2023-46805 %}
* {% cve CVE-2024-21887 %}