SOCRadar® Cyber Intelligence Inc. | Vulnerability in Ivanti Connect Secure, Policy Secure, and Neurons for ZTA Exploited (CVE-2024-21888, CVE-2024-21893)
Home

Resources

Blog
Feb 01, 2024
7 Mins Read

Vulnerability in Ivanti Connect Secure, Policy Secure, and Neurons for ZTA Exploited (CVE-2024-21888, CVE-2024-21893)

[Update] February 13, 2024: “Ivanti’s CVE-2024-21893 Exploited to Install the New DSLog Backdoor on Nearly 700 Assets”

[Update] February 6, 2024: “Increased Exploitation Attempts Targeting CVE-2024-21893 in Ivanti”

Ivanti has disclosed that as part of their ongoing investigation into previous Ivanti Connect Secure vulnerabilities, they discovered two new vulnerabilities.

The Cybersecurity and Infrastructure Security Agency (CISA) has already added one of these vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, demanding Federal Civilian Executive Branch (FCEB) agencies to remediate it by the near deadline of February 2, 2024.

Details of the Newest Ivanti Vulnerabilities (CVE-2024-21888 and CVE-2024-21893)

The vulnerabilities with high severity ratings are identified as CVE-2024-21888 and CVE-2024-21893. Both vulnerabilities affect all supported versions, 9.x and 22.x. See their details below:

CVE-2024-21888 (CVSS score: 8.8): A Privilege Escalation vulnerability in the web component of Ivanti Connect Secure and Ivanti Policy Secure. It could enable a user to gain administrative privileges.

Vulnerability intel card for CVE-2024-21888 (SOCRadar Vulnerability Intelligence), Ivanti

Vulnerability intel card for CVE-2024-21888 (SOCRadar Vulnerability Intelligence)

CVE-2024-21893 (CVSS score: 8.2): A Server-Side Request Forgery (SSRF) vulnerability in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA. It could enable an attacker to gain access to some restricted resources without authentication.

Vulnerability intel card for CVE-2024-21893 (SOCRadar Vulnerability Intelligence), ivanti

Vulnerability intel card for CVE-2024-21893 (SOCRadar Vulnerability Intelligence)

You can easily access vulnerability information and updates through SOCRadar. The platform provides comprehensive Vulnerability Intelligence that includes the most recent updates on known vulnerabilities, such as available exploits, repositories, exploitability risks, and hacker trends.

SOCRadar's Vulnerability Intelligence

SOCRadar’s Vulnerability Intelligence

Are Patches Available for the New Vulnerabilities?

Ivanti made the patches accessible via the standard download portal. Patches are currently available for the following versions:

Ivanti Connect Secure: 

  • 9.1R14.4
  • 9.1R17.2
  • 9.1R18.3
  • 22.4R2.2
  • 22.5R1.1

ZTA:

  • 22.6R1.3

According to the company, the remaining supported versions will be patched on a staggered schedule, and a new mitigation is also available for download.

“CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893 can be mitigated by importing mitigation.release.20240126.5.xml file via the download portal.” 

Refer to the official advisory for further details.

Exploitation of CVE-2024-21893: Ivanti Expects a Surge in Attacker Activity

At the time of the disclosure, Ivanti stated that there was no evidence of CVE-2024-21888 affecting customers, whereas CVE-2024-21893 did affect a limited number of customers.

Ivanti also stated that the exploitation of CVE-2024-21893 appears to be deliberate. Once the details of the vulnerability are made public, the company expects the exploitation attempts to increase. In the meantime, CISA has added CVE-2024-21893 to its KEV Catalog to warn agencies about exploitation and urge them to remediate it.

With SOCRadar’s Attack Surface Management module, you can monitor digital assets and identify vulnerabilities that are affecting your organization. Additionally, ASM’s Company Vulnerabilities page includes a CISA KEV Check feature that allows you to quickly identify KEV Catalog-listed vulnerabilities that affect your systems.

SOCRadar Attack Surface Management/Company Vulnerabilities.

SOCRadar Attack Surface Management/Company Vulnerabilities

CISA Alert and Patches for the Ivanti Connect Secure Zero-Day Vulnerabilities

In addition to the public disclosure of the new vulnerabilities, the company has released fixes for the zero-day vulnerabilities CVE-2023-46805 and CVE-2024-21887, which affect Connect Secure. The most recent updates on these vulnerabilities also include a CISA alert about threat actors developing workarounds for previous mitigations and their exploitation to deploy KrustyLoader malware.

The aforementioned CISA alert was most recently updated to include the new vulnerabilities, CVE-2024-21888 and CVE-2024-21893, and direct organizations to apply updates or mitigation for affected versions.

You can find more information about zero-day vulnerabilities in our other blog post: Attackers Exploit Ivanti Connect Secure Zero-Day Vulnerabilities to Deploy Webshells (CVE-2023-46805, CVE-2024-21887).

Increased Exploitation Attempts Targeting CVE-2024-21893 in Ivanti

Exploitation attempts surge, confirming Ivanti’s previous speculations – threat actors are actively exploiting the latest Ivanti SSRF vulnerability, CVE-2024-21893. Shadowserver reports that they observed at least 170 different IP addresses attempting to exploit the vulnerability.

Exploitation attempts by Ivanti CVEs (Shadowserver)

Exploitation attempts by Ivanti CVEs (Shadowserver)

Additionally, it is stated that the attackers employed similar methods mentioned in the Proof-of-Concept (PoC) exploit by Rapid7, just prior to its release.

Tweet by Shadowserver (X)

Tweet by Shadowserver (X)

Ivanti’s CVE-2024-21893 Exploited to Install the New DSLog Backdoor on Nearly 700 Assets

While prior reports detailed exploitation attempts against the CVE-2024-21893 vulnerability, recent findings indicate that threat actors are deploying the DSLog backdoor to execute remote commands on compromised Ivanti servers.

The discovery of this new backdoor emerged on February 3, 2024, during the analysis of a compromised appliance. Although the appliance had Ivanti’s initial XML mitigation in place, which blocks all API endpoints, it lacked the second mitigation or patch.

How Did Attackers Inject the Backdoor?

It was discovered that attackers injected a backdoor into a component of the Ivanti

appliance using the CVE-2024-21893 vulnerability, ensuring persistent remote access.

Researchers examined a compromised Ivanti device snapshot and logs and found that attackers injected the backdoor into the appliance’s code base through SAML authentication requests containing encoded commands.

According to the researchers, attackers modified an existing Perl file named ‘DSLog.pm’, a legitimate logging module for authenticated web requests and system logs, and inserted the backdoor.

The commands in the requests indicated the attacker’s intent to conduct internal reconnaissance and confirm root access by performing tasks such as writing system information to a publicly accessible file (index2.txt).

Subsequent SAML requests sought to secure read/write filesystem permissions, detect changes to the legitimate logging script (DSLog.pm), and inject the backdoor if the expected modification string was not present.

The attackers used SHA256 hashes unique to the contacted device as API keys, as required by the HTTP User-Agent header for command execution. Because each hash is unique, it cannot be used to access another device’s backdoor. The method utilized to calculate the SHA256 hashes remains undetermined.

About the DSLog Backdoor

The DSLog backdoor is reported to be able to execute any command on the compromised device, with root privileges. The attackers embed these commands in a query parameter named ‘cdi’ and send them via HTTP requests.

Each HTTP request contains a unique SHA256 hash per targeted device, which is used to authenticate the request to the backdoor. The researchers point out that the webshell does not provide any status or code when contacted, making the backdoor exceptionally discreet in its operations.

Researchers assert that the commands issued by the attackers via the backdoor can be identified within the Ivanti access logs (log.localhostX-DAY-YEAR-XX-XX_XX_XX_XX-(XXX).access), appearing as hex-encoded values; however, the attacker deleted these access logs on several compromised devices in order to hide malicious activity.

Regardless of the challenges, at least 670 compromised Ivanti servers were discovered by examining other files like ‘index.txt’, ‘index1.txt’, and ‘index2.txt’ in the ‘hxxp://{ip}/dana-na/imgs/’ directory.