After investigating and testing code, Ivanti discovered a new vulnerability (CVE-2024-22024). Similar to the previous Ivanti vulnerabilities mentioned this week, the new vulnerability impacts Ivanti Connect Secure, Ivanti Policy Secure, and ZTA gateways.
With a CVSS score of 8.3, CVE-2024-22024 is an “XML external entity or XXE vulnerability in the SAML component allows attackers to access certain restricted resources without authentication." Although Ivanti does not have evidence of customers being exploited by the vulnerability, they are advising all users to patch as soon as possible. The vulnerability impacts the following supported versions:
Ivanti Connect Secure versions:
Ivanti Policy Secure version
ZTA version
Please note that the mitigation mentioned in Avertium’s original flash notice is effective at blocking this vulnerable endpoint. Also, customers who applied the patch released on 31 January or 1 February, and completed a factory reset of their appliance, do not need to factory reset their appliances again.
overview
Ivanti has issued a critical advisory regarding two newly discovered vulnerabilities affecting its Connect Secure and Policy Secure products. These vulnerabilities are tracked as CVE-2024-21888 (CVSS score: 8.8) and CVE-2024-21893 (CVSS score: 8.2), with CVE-2024-21893 being actively exploited in the wild.
CVE-2024-21888
This vulnerability is a privilege escalation issue found in the web component of Ivanti Connect Secure (9.x, 22.x) and Policy Secure (9.x, 22.x). If exploited, attackers can gain administrative privileges.
CVE-2024-21893
This flaw is a server-side request forgery vulnerability in the SAML component of Connect Secure (9.x, 22.x), Policy Secure (9.x, 22.x), and Neurons for ZTA. Authenticated attackers can exploit the vulnerability to access restricted resources. The exploitation of CVE-2024-21893 appears to have only impacted a small number of Ivanti customers currently, but Ivanti anticipates a significant increase in exploitation once further details become public.
Additionally, Ivanti has released security patches for some affected versions and provides mitigation instructions for devices still awaiting a patch. Ivanti has also disclosed two additional zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) and released patches and mitigation measures for these as well. When these two zero-day vulnerabilities are chained, attackers can move laterally inside victims' networks, steal information, and maintain ongoing access by setting up backdoors. These vulnerabilities impact ICS, IPS, and ZTA gateways. You may find more information regarding CVE-2023-46805 and CVE-2024-21887 in Avertium’s original flash notice.
Victims of the attacks include government and military organizations worldwide, national telecom companies, defense contractors, banking and finance organizations, as well as aerospace, aviation, and tech firms of varying sizes. Please see the recommendations below for patch guidance and mitigation steps.
Note!: If you applied the patch, there is no need to apply the mitigation.
INDICATORS OF COMPROMISE (IoCs)
CVE-2023-46805 and CVE-2024-21887
IP Addresses
Domains
CVE-2024-21893 and CVE-2024-21888
MD5
SHA1
SHA256
SUPPORTING DOCUMENTATION
Flash Notice: Ivanti Zero Days Exploited by Chinese Threat Actors (avertium.com)
Ivanti warns of new Connect Secure zero-day exploited in attacks (bleepingcomputer.com)
Ivanti warns of a new actively exploited zero-day (securityaffairs.com)
CVE-2024-21888 Privilege Escalation for Ivanti Connect Secure and Ivanti Policy Secure
Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation | Mandiant
CVE-2024-22024 (XXE) for Ivanti Connect Secure and Ivanti Policy Secure