Latest Ivanti vulnerability #
On April 2, 2024, Ivanti disclosed multiple vulnerabilities in their Ivanti Connect Secure and Ivanti Policy Secure products.
- CVE-2024-21894 is rated high with CVSS score of 8.2 and allows an unauthenticated attacker to potentially execute arbitrary code on the affected system.
- CVE-2024-22052 is rated high with CVSS score of 7.5 and allows an unauthenticated attacker to create a denial-of-service (DoS) condition on affected systems.
- CVE-2024-22053 is rated high with a CVSS score of 8.2 would allow an unauthenticated attacker to read potentially sensitive memory contents.
- CVE-2024-22023 is rated medium with a CVSS score of 5.3 and would allow an unauthenticated attacker to create a denial-of-service (DoS) condition on affected systems.
What is the impact? #
Successful exploitation of these vulnerabilities would allow an attacker to execute arbitrary code, read potentially sensitive memory, or create a denial-of-service (DoS) condition on affected devices.
Are updates or workarounds available? #
Ivanti has released patches to address these vulnerabilities, and all users are urged to update as quickly as possible.
How to find potentially vulnerable systems with runZero #
From the Service Inventory, use the following query to locate systems running potentially vulnerable software:
product:"Policy Secure" OR product:"Connect Secure"
Additional fingerprinting research is ongoing, and additional queries will be published as soon as possible.
February 2024 (CVE-2024-22024) #
On February 8th, 2024, Ivanti disclosed a serious vulnerability, CVE-2024-22024, which allowed attackers to bypass authentication on the affected device to reach restricted resources. This vulnerability earned a CVSS score of 8.3 out of 10, indicating a high degree of severity.
The vendor reported that there were no indications that this vulnerability had been exploited in the wild.
What was the impact? #
Upon successful exploitation of these vulnerabilities, attackers could access restricted resources on the vulnerable system without authentication. The vendor did not specify which resources were reachable without authentication, but did indicate that such resources were restricted.
Ivanti released an update to mitigate the issue (note that the provided link also discusses previous vulnerabilities in the same products). Users were urged to update as quickly as possible.
January 2024 vulnerabilities #
On January 10th, 2024, Ivanti disclosed two serious vulnerabilities in the Ivanti Connect Secure and Ivanti Policy Secure products.
The first issue, CVE-2023-46805, allowed attackers to bypass authentication controls to access restricted resources without authentication. This vulnerability earned a CVSS score of 8.2 out of 10, indicating a high degree of impact.
The second issue, CVE-2024-21887, allowed attackers to inject arbitrary commands to be executed on the affected device. Attackers had to be authenticated to exploit this vulnerability, but attackers might have been able to use the authentication bypass vulnerability above to achieve this. This vulnerability had a CVSS score of 9.1 out of 10, indicating a critical vulnerability.
The vendor reported that there were indications that these vulnerabilities had been exploited in the wild.
What was the impact? #
Upon successful exploitation of these vulnerabilities, attackers could execute arbitrary commands on the vulnerable system. This included the creation of new users, installation of additional modules or code, and, in general, system compromise.
Ivanti released an update to mitigate this issue. Users were urged to update as quickly as possible.
How to find potentially vulnerable products that expose a web interface #
From the Services Inventory, use the following query to locate assets running the vulnerable products in your network that expose a web interface and which may need remediation or mitigation:
_asset.protocol:http AND protocol:http AND http.body:"welcome.cgi?p=logo"
