In recent months, the Ivanti product suite has encountered several high-profile vulnerabilities, raising concerns within the cybersecurity community. Since the start of the calendar year, four critical vulnerabilities have been associated with Ivanti Connect Secure, Policy Secure, and Neurons. While the vendor has diligently addressed each vulnerability and deployed mitigations, the recurrence of vulnerabilities within a short timeframe underscores the importance of maintaining vigilance when managing Ivanti products.

Overview of Vulnerabilities

• CVE-2023-46805: This authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x, and Ivanti Policy Secure allows remote attackers to access restricted resources by bypassing control checks.
• CVE-2024-21887: A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) enables an authenticated administrator to execute arbitrary commands on the appliance through specially crafted requests.
• CVE-2024-21893: A server-side request forgery (SSRF) vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x), and Ivanti Neurons for ZTA allows attackers to access restricted resources without authentication.
• CVE-2024-21888: This privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) permits users to elevate privileges to that of an administrator.

These vulnerabilities, when exploited together, create a high impact attack chain. For instance, CVE-2024-21893 has been observed being leveraged alongside CVE-2024-21887, resulting in remote code execution. The unauthenticated SSRF vulnerability within CVE-2024-21893 can be used to perform an arbitrary HTTP GET request, which can then be modified to exploit the command injection vulnerability within the '/api/v1/license/keys-status' endpoint, potentially leading to the establishment of a reverse shell with an attacker's machine.

Additionally, CVE-2023-46805, an authentication bypass vulnerability, can be exploited via a path traversal vulnerability found in the "/api/v1/totp/user-backup-code" endpoint. Due to the lack of authentication on this endpoint, adversaries can access public-facing endpoints. This vulnerability has also been observed being exploited in conjunction with CVE-2024-21887, facilitating remote code execution.

Customer Call to Action

1. Upgrade to Secure Versions: Ensure that all known instances of Ivanti Connect Secure and Ivanti Policy Secure are updated to Ivanti Connect Secure version 22.5R2.2 and Ivanti Policy Secure version 22.5R1.1, respectively, to mitigate these vulnerabilities.
2. Legacy Instance Investigation: Identify any legacy instances of Ivanti Connect Secure or Policy Secure and engage with the Lumifi SOC for additional investigation to prevent exploitation.

Lumifi's Response

1. Proactive Detection: Following the disclosure of the proof-of-concept by Rapid7 on January 31st, Lumifi engineered a detection mechanism to identify potential exploitation attempts.
   Continuous Threat Research: The Lumifi SOC conducts ongoing threat research to ensure that any updates regarding new indicators of compromise (IoCs) are reflected within their threat hunts in customer environments.
2. In conclusion, the recent vulnerabilities affecting the Ivanti product suite highlight the critical need for proactive security measures and prompt updates. By remaining vigilant and implementing recommended actions, organizations can mitigate risks and protect their environments against potential exploits. If you have any concerns or require assistance, please reach out to Lumifi for support.