Ivanti Connect Secure flaw massively exploited by attackers (CVE-2024-21893)
CVE-2024-21893, a server-side request forgery (SSRF) vulnerability affecting Ivanti Connect Secure VPN gateways and Policy Secure (a network access control solution), is being exploited by attackers.
About CVE-2024-21893
CVE-2024-21893 allows a attackers to bypass authentication requirements and access certain restricted resources on vulnerable solutions.
It affects the SAML component of:
- Ivanti Connect Secure (9.x, 22.x)
- Ivanti Policy Secure (9.x, 22.x)
- Ivanti Neurons for ZTA (SaaS-delivered zero trust network access solution)
Its existence, along with that of CVE-2024-21888, a privilege escalation vulnerability affecting the same Ivanti Connect Secure and Policy Secure versions, was revealed by Ivanti in late January.
According to Ivanti and Mandiant, CVE-2024-21893 is actually a new technique to bypass Ivanti’s original mitigation for CVE-2023-46805, another authentication bypass flaw, which has been leveraged by attackers in conjunction with CVE-2024-21887 (a command injection vulnerability that could allow remote code execution).
CVE-2024-21893 exploited
On February 2, Rapid7 published a technical analysis of CVE-2024-21893 and how it can be triggered and chained to CVE-2024-21887 for unauthenticated RCE.
Several days later, the Shadowserver Foundation said that they’ve observed attempted CVE-2024-21893 exploitation before and especially after Rapid7 making the analysis public.
“To date, over 170 attacking IPs [have been] involved,” Shadowserver noted, with attackers attempting to perform a variety of checks and to establish a reverse shell on vulnerable devices.
A slew of Ivanti zero-days under attack
It’s been a bad month or so for Ivanti and for organizations using its Connect Secure VPN gateways.
First CVE-2023-46805 and CVE-2024-21887 were being exploited and Ivanti only had a temporary mitigation to offer, pushing the US Cybersecurity and Infrastructure Agency (CISA) to order US federal agencies to “disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks” by February 2, 2024.
Those attacks were followed by these latest ones, exploiting CVE-2024-21893 and CVE-2024-21888.
All four vulnerabilities have since been remediated by Ivanti.