The Ivanti vulnerability 2024, identified as CVE-2024-21893 and affecting Ivanti Connect Secure and Ivanti Policy Secure, is currently facing widespread exploitation by numerous adversaries due to a server-side request forgery (SSRF) flaw.
CVE-2024-21893: Details of Ivanti vulnerability 2024
On January 31, 2024, Ivanti initially issued alerts concerning this vulnerability within the gateway’s SAML components, designating it as a zero-day due to its active, albeit limited, exploitation affecting a few clients. The breach of CVE-2024-21893 enables perpetrators to circumvent authentication measures and gain access to restricted areas on affected models (versions 9.x and 22.x).
Shadowserver, a threat monitoring entity, reports observing a surge in exploitation attempts, with 170 unique IP addresses targeting the Ivanti vulnerability 2024.
We observed CVE-2024-21893 exploitation using '/dana-na/auth/saml-logout.cgi' on Feb 2nd hours before @Rapid7 posting & unsurprisingly lots to '/dana-ws/saml20.ws' after publication. This includes reverse shell attempts & other checks. To date, over 170 attacking IPs involved https://t.co/yUy4y2xCCz
— Shadowserver (@Shadowserver) February 4, 2024
The frequency and intensity of these attacks on CVE-2024-21893 surpass those observed with other Ivanti vulnerabilities that have recently been addressed or mitigated, highlighting a significant pivot in attacker strategy.
The dissemination of a proof-of-concept (PoC) exploit by researchers at Rapid7 on February 2, 2024, has likely facilitated these assaults. However, Shadowserver’s findings suggest that assailants were employing comparable tactics to exploit the Ivanti vulnerability 2024 hours before the Rapid7 findings were made public, indicating that attackers had preemptively mastered the art of exploiting CVE-2024-21893 to gain unfettered, unauthenticated access to susceptible Ivanti endpoints.
ShadowServer’s analysis reveals that approximately 22,500 Ivanti Connect Secure devices are currently accessible online, though the exact number vulnerable to this specific flaw remains uncertain.
A complex security dilemma has unfolded with the revelation of CVE-2024-21893, coinciding with the issuance of security patches addressing two additional zero-day vulnerabilities affecting the same Ivanti products: CVE-2023-46805 and CVE-2024-21887, initially identified by Ivanti on January 10, 2024. Ivanti promptly shared provisional countermeasures following their discovery. These vulnerabilities have been exploited by the Chinese espionage entity known as UTA0178/UNC5221, utilizing them to implant webshells and backdoors within compromised systems. The height of this infiltration effort saw approximately 1,700 devices affected in mid-January.
Despite Ivanti’s early intervention attempts, adversaries successfully navigated around these initial safeguards, even tampering with the devices’ configuration files. This led Ivanti to delay the deployment of its firmware updates, originally slated for January 22, to confront this advanced menace effectively.
Ivanti Policy Secure VPN appliances affected
Amidst the ongoing exploitation of these severe zero-day vulnerabilities, compounded by the absence of robust countermeasures and updates for some versions of the impacted products, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) has mandated federal agencies to sever connections with all Ivanti Policy Secure VPN appliances affected. Reconnection is permitted solely for devices that have undergone a factory reset and have been updated to the most current firmware release. Nonetheless, older versions that remain susceptible continue to lack a corrective update.
Everything you need to know about Equifax data breach settlement
This directive is also advised for private sector entities, although compliance is not obligatory. As such, organizations are urged to meticulously assess the security posture of their Ivanti solutions and the overall reliability of their network environments.
Vulnerabilities like CVE-2024-21893 expose the intricate challenges that organizations face in safeguarding digital infrastructures. The widespread exploitation of the Ivanti vulnerability 2024 underscores the critical importance of swift, proactive measures to patch known security gaps and reinforce defenses. It is a stark reminder for entities across all sectors to remain vigilant, continuously monitor their systems for unusual activities, and adhere to best practices in cybersecurity hygiene. As adversaries evolve in sophistication, so too must our strategies for defense, ensuring the integrity and resilience of our digital ecosystems against the ever-present threat of cyber exploitation.
Featured image credit: Kerem Gülen/Midjourney
