Ivanti Zero-Day : Navigating CVE-2024-21887 and CVE-2023-46805 Vulnerabilities

Ivanti Zero-Day: What Happened?

Ivanti's Connect Secure VPN and Policy Secure network access control (NAC) appliances are currently facing the impact of two zero-day vulnerabilities, and threat intelligence company Volexity has not only discovered these vulnerabilities but has also observed them being actively exploited in attacks since December. These zero-days, identified as CVE-2023-46805 for an authentication bypass and CVE-2024-21887 for command injection, are now being leveraged by multiple threat groups in widespread attacks that commenced on January 11.

If CVE-2024-21887 is used in combination with CVE-2023-46805, exploitation doesn't require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system leading to command injection.

Ivanti has been collaborating closely with Mandiant, impacted customers, government partners, and Volexity to address these vulnerabilities. In their ongoing investigation, Ivanti has published a blog post and provided mitigations for the vulnerabilities exploited in this attack. These resources can help organizations determine if their systems have been affected.

Who is affected?

Organizations that use Ivanti Connect Secure and Policy Secure gateway.

About the Vulnerabilities in this Attack

1. What is an authentication bypass?

An authentication bypass vulnerability refers to a security flaw that allows an attacker to gain unauthorized access to a system or application without having to provide valid credentials or authentication.

APIs often require users or applications to provide valid credentials, such as an API key, token, or username/password combination, to authenticate and verify their identity before granting access to the requested resources. However, an authentication bypass vulnerability allows an attacker to bypass this verification step and directly access the API.

In Ivanti ICS, the identified vulnerable API is the one associated with the endpoint

/api/v1/totp/user-backup-code

2. What is command injection?

Command injection is a type of security vulnerability that occurs when an attacker is able to execute arbitrary commands on a system or application by manipulating its input parameters. In the context of the Ivanti Connect Secure and Policy Secure vulnerabilities, command injection refers to the exploitation of the CVE-2024-21887 vulnerability, which allows threat actors to inject and execute unauthorized commands on the system.

In Ivanti ICS, the API that is vulnerable to a command injection attack is identified as follows:

/api/v1/license/keys-status/path:node_name

Exploitation Details

After successfully exploiting CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection), the attacker utilized various custom malware families. In some instances, legitimate files within CS were trojanized with malicious code.

The attacker employed a Perl script (sessionserver.pl) to remount the filesystem as read/write” that allowed them to modify the filesystem from "read-only" (where files can only be viewed, not changed) to "read/write" (where files can be both viewed and modified). This allowed the deployment of THINSPOOL, a shell script dropper that writes the web shell LIGHTWIRE to a genuine Connect Secure file, along with other subsequent tools.

According to Mandiant, THINSPOOL is a key component for maintaining persistence and evading detection. It acts as the initial dropper for the LIGHTWIRE web shell, which is used by the threat group UNC5221 for their post-exploitation activities.

Mandiant's investigation uncovered an attacker using a suite of tools, including:

1. Zipline Passive Backdoor: Intercepts network traffic, supports upload/download, reverse shells, proxy servers.

2. Thinspool Dropper: Places Lightwire web shell on Ivanti CS for system persistence.

3. Wirefire web shell: Python-based, allows unauthenticated command execution, payload dropping.

4. Lightwire web shell: Perl-based, embedded in a file, executes arbitrary commands.

5. Warpwire Harvester: JavaScript tool for harvesting login credentials, sent to a control server.

6. PySoxy Tunneler: Facilitates network traffic tunneling for stealth.

7. BusyBox: Multi-call binary, combines Unix utilities.

8. Thinspool Utility (sessionserver.pl): Remounts filesystem as 'read/write' for malware deployment.

MobileIron zero-day bug

One month later, hackers began exploiting a third zero-day vulnerability (CVE-2023-38035) in Ivanti's Sentry software. Ivanti Sentry, formerly MobileIron Sentry, acts like a guard for important servers used by businesses, such as Microsoft Exchange and Sharepoint servers. It can also work as a proxy for something called Kerberos Key Distribution Center.

This vulnerability was exploited to bypass API authentication in targeted and limited attacks on vulnerable devices. It allows unauthenticated attackers to gain access to sensitive admin portal configuration APIs that are exposed over port 8443.

Because of the limited number of customers impacted by CVE-2023-38035. This vulnerability does not affect other Ivanti products or solutions, such as Ivanti EPMM, MobileIron Cloud or Ivanti Neurons for MDM," Ivanti said.

According to Ivanti, the impact of CVE-2023-38035 is limited to a small number of customers. This vulnerability does not affect other Ivanti products or solutions, including Ivanti EPMM, MobileIron Cloud, or Ivanti Neurons for MDM. Ivanti said.

Ivanti provided a detailed explanation of how to update systems running the affected service to newer versions.

Mitigations

Ivanti has observed evidence of threat actors attempting to manipulate its internal integrity checker (ICT). As a precautionary measure, Ivanti recommends that all customers run the external ICT while they are regularly providing updates to the external and internal ICT. Ivanti also recommends customers to always run the ICT in conjunction with continuous monitoring.

The patch is still being deployed, but Ivanti has recommended following the guidelines from their blog to mitigate the issue. Customers are urged to implement the provided mitigation measures and update to newer versions.

Securing APIs

API security is crucial in ensuring the authentication and authorization processes are robust and secure. By properly securing APIs, organizations can protect sensitive data, prevent unauthorized access, and mitigate the risk of attacks such as authentication bypass.

In the context of the Ivanti vulnerabilities, securing APIs involves implementing the following best practices:

1. Authentication mechanisms: Organizations should implement strong authentication mechanisms such as OAuth, JWT (JSON Web Tokens), or API keys to verify the identity of users or applications accessing the API. This ensures that only authorized entities can access the API and its resources.

2. Authorization and access controls: Granular access controls and permissions should be defined to restrict access to specific API endpoints or resources based on user roles and privileges. This helps prevent unauthorized access to sensitive data or functionality.

3. Secure communication: Secure communication protocols such as HTTPS (TLS/SSL) should be used to encrypt data transmitted between the client and the API server. This protects sensitive information from eavesdropping or interception.

4. Input validation and sanitization: User input should be validated and sanitized to prevent common vulnerabilities such as command injection or SQL injection. Implementing input validation techniques such as parameterized queries or input validation libraries ensures that user-supplied data is safe and does not introduce security risks.

5. Rate limiting and throttling: Rate limiting and throttling mechanisms should be implemented to prevent abuse, brute-force attacks, or excessive API usage. This helps protect the API from being overwhelmed by malicious or excessive requests.

6. Akto: Akto can assist you in detecting vulnerabilities in APIs. You can import your APIs and store them in a collection to automate testing. Utilize our test editor feature to run multiple test templates and identify vulnerabilities, or create custom templates. Give it a try today!

It is crucial for organizations to stay proactive in their security measures to mitigate risks and protect their networks from potential attacks.

Conclusion

The Ivanti Connect Secure and Policy Secure vulnerabilities pose a significant threat to organizations using these gateways. The authentication bypass and command injection vulnerabilities have been actively exploited by threat actors since December, highlighting the urgency for affected organizations to take action. Ivanti has been working closely with Mandiant and other partners to address these vulnerabilities, providing mitigations and updates to help organizations protect their systems. It is crucial for organizations to apply the recommended patches, implement strong API security measures, and stay vigilant against potential attacks.