Zero-Day Exploitation of Ivanti Connect Secure and Policy Secure Gateways

Last updated at Mon, 04 Mar 2024 21:19:34 GMT

Information on these vulnerabilities and follow-on CVEs has evolved considerably since this blog was originally published on January 11, 2024. Customers should refer to Ivanti's various advisories, KB article, and recovery guidance  for the latest updates.

On Wednesday, January 10, 2024, Ivanti disclosed two zero-day vulnerabilities affecting their Ivanti Connect Secure and Ivanti Policy Secure gateways. Security firm Volexity, who discovered the vulnerabilities, also published a blog with information on indicators of compromise and attacker behavior observed in the wild. In an attack Volexity investigated in December 2023, the two vulnerabilities were chained to gain initial access, deploy webshells, backdoor legitimate files, capture credentials and configuration data, and pivot further into the victim environment.

The two vulnerabilities from the initial advisory are:

• CVE-2023-46805, a zero-day authentication bypass vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure that allows a remote attacker to access restricted resources by bypassing control checks.
• CVE-2024-21887, a critical zero-day command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure that allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. This vulnerability can be exploited over the internet

Rapid7 research has reproduced the attack leveraging CVE-2023-46895 and CVE-2024-21887; our team has a full technical analysis of the original exploit chain available in AttackerKB.

Two additional vulnerabilities were disclosed on January 31, 2024:

• CVE-2024-21893, a zero-day server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA that allows an attacker to access certain restricted resources without authentication. According to Ivanti's new advisory, CVE-2024-21893 has been exploited in a limited number of customer environments.
• CVE-2024-21888, a privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) that allows a user to elevate privileges to that of an administrator.

An additional vulnerability was disclosed on February 8, 2024:

• CVE-2024-22024 is an XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication. According to Ivanti's advisory, the mitigation provided on 31 January is effective at blocking this vulnerable endpoint.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a bulletin on January 30 warning that threat actors are exploiting Ivanti vulnerabilities to capture credentials, drop webshells, and evade the original vendor-supplied mitigation. Both Volexity and Mandiant have released extensive descriptions of the attack and indicators of compromise — we strongly recommend reviewing their blogs. Volexity and CISA have both emphasized that adversaries have been observed trying to evade Ivanti's ICS Integrity Checker Tool.

Rapid7 urges customers who use Ivanti Connect Secure or Policy Secure to take immediate steps to apply the vendor-supplied patch and look for indicators of compromise. CISA and others have also stressed the importance of immediate action and continuous threat hunting. Ivanti devices should also be factory reset.

Counts of internet-exposed appliances vary widely depending on the query used. When CVE-2023-46805 and CVE-2024-21887 were disclosed, the following Shodan query identified roughly 7K devices on the public internet; looking for Ivanti’s welcome page alone more than doubles that number (but reduces accuracy): http.favicon.hash:-1439222863 html:"welcome.cgi?p=logo. Rapid7 Labs has observed both scanning activity and exploit attempts targeting our honeypots that emulate Ivanti Connect Secure appliances.

Mitigation guidance

Important: Ivanti has released additional guidance on attacker artifacts and recovery steps for impacted appliances since the information below was initially published. Customers should refer to Ivanti's advisory, KB article, and recovery guidance as their sources of truth as new information continues to come to light.

• All supported versions (9.x and 22.x) of Ivanti Connect Secure and Ivanti Policy Secure are vulnerable to CVE-2023-46805, CVE-2024-21887, CVE-2024-21893, and CVE-2024-21888.  
• Per Ivanti's communications, all four CVEs are remediated with a patch available as of January 31, 2024 via the standard download portal for Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1) and ZTA version 22.6R1.3. As of February 1, a patch addressing known vulnerabilities is also available for Ivanti Connect Secure version 22.5R2.2 and Ivanti Policy Secure 22.5R1.1.
• There is also a patch available for CVE-2024-22024 as of February 8, 2024.
• Ivanti has recovery steps for impacted appliances here.
• Updated patch timelines and other information can be found here.

Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons customers should apply vendor-supplied patches on an emergency basis, factory reset their devices, and investigate their environments for signs of compromise. Ivanti advises customers using unsupported versions of the product to upgrade to a supported version before applying workarounds.

Note: Adversaries have been observed wiping logs and/or disabling logging on target devices. Administrators should ensure logging is enabled. Ivanti has a built-in integrity checker tool (ICT) that verifies the image on Ivanti Connect Secure and Ivanti Policy Secure appliances and looks for modified files. Ivanti is advising customers to use the external version of this tool to check the integrity of the ICS/IPS images, since Ivanti has seen adversaries “attempting to manipulate” the internal integrity checker tool.

Note: Per Ivanti’s advisory and KB article for CVE-2023-46805 and CVE-2024-21887, “Ivanti Neurons for ZTA gateways cannot be exploited when in production. If a gateway for this solution is generated and left unconnected to a ZTA controller, then there is a risk of exploitation on the generated gateway. Ivanti Neurons for Secure Access is not vulnerable to these CVEs; however, the gateways being managed are independently vulnerable to these CVEs.”

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to Ivanti Pulse Connect Secure CVE-2023-46805 and CVE-2024-21887 with unauthenticated vulnerability checks in the January 11 content release. Unauthenticated vulnerability checks are available for CVE-2023-46805 and CVE-2024-21887 in Ivanti Policy Secure as of January 12 (content version 1.1.3069).

Update February 1: InsightVM and Nexpose customers can assess their exposure to CVE-2024-21888 and CVE-2024-21893 in Ivanti Connect Secure with unauthenticated vulnerability checks in the February 1 content release (content version 1.1.3083). Further updates for Ivanti Policy Secure and coverage for Ivanti Neurons for ZTA are under investigation and may be available in the future.

Update February 12: InsightVM and Nexpose customers will be able to assess their exposure to CVE-2024-22024 in Ivanti Connect Secure with a vulnerability check available in the February 12 content release.

InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on post-exploitation behavior related to this zero-day vulnerability:

• Suspicious Web Request - Possible Ivanti Exploit Activity
• Suspicious Web Request - Possible Ivanti CVE-2023-46805 Exploitation

Blog Updates

January 12, 2024: Updated to include a reference to Mandiant's blog on the attack, which includes indicators of compromise.

January 16, 2024: Updated to note that Rapid7 research has reproduced the exploit chain and has a full technical analysis available in AttackerKB.

January 23, 2024: Updated to reflect that Rapid7 Labs has detected attempted exploitation of Ivanti Connect Secure.

January 24, 2024: Updated with additional guidance from Ivanti on recovering compromised appliances. Customers should refer to Ivanti's advisory, KB article, and recovery guidance as their sources of truth as new information continues to come to light.

January 30, 2024: Updated with note on patch delays from Ivanti.

January 31, 2024: Updated with new CVEs disclosed by Ivanti (CVE-2024-21893 and CVE-2024-21888), new Mandiant analysis, new CISA bulletin information, and new vendor-supplied patch information. Updated with detection information for InsightIDR and Rapid7 MDR customers. Updated to note that the InsightVM coverage development team is investigating the new CVEs.

February 1, 2024: Updated to note that InsightVM and Nexpose customers will be able to assess their exposure to CVE-2024-21888 and CVE-2024-21893 in Ivanti Connect Secure with unauthenticated vulnerability checks in today's (February 1) content release (content version 1.1.3083).

February 2, 2024: Updated to reflect that as of February 1, Ivanti has indicated that a patch addressing all known vulnerabilities is also available for Ivanti Connect Secure version 22.5R2.2 and Ivanti Policy Secure 22.5R1.1.

February 8, 2024: Ivanti has disclosed an additional vulnerability, CVE-2024-22024, in Ivanti Connect Secure and Ivanti Policy Secure. According to the advisory, CVE-2024-22024 is not yet known to have been exploited in the wild.

February 12, 2024: Updated to emphasize the need to factory reset devices; a vulnerability check for Ivanti Connect Secure CVE-2024-22024 will be available in today's InsightVM and Nexpose content release.

March 1, 2024: In an advisory released on February 29th, CISA, in conjunction with the FBI, NCSC-UK, and other trusted entities, is strongly urging organizations to consider the risk associated with the continued use of Ivanti Connect Secure and Ivanti Policy Secure gateways.

The advisory states that Ivanti's internal integrity checker "is not sufficient to detect compromise and that a cyber threat actor may be able to gain root-level persistence despite issuing factory resets." and that "the safest course of action for network defenders is to assume a sophisticated threat actor may deploy rootkit level persistence on a device that has been reset and lay dormant for an arbitrary amount of time."

CISA's advisory applies to all usage of Ivanti Connect Secure and Ivanti Policy Secure gateways, regardless of any steps previously taken to mitigate or remediate threats stemming from CVE-2023-46805, CVE-2024-21887 and CVE-2024-21893.