SOCRadar® Cyber Intelligence Inc. | Vulnerability in Ivanti Connect Secure, Policy Secure, and Neurons for ZTA Exploited (CVE-2024-21888, CVE-2024-21893)
Home

Resources

Blog
Feb 01, 2024
11 Mins Read

Vulnerability in Ivanti Connect Secure, Policy Secure, and Neurons for ZTA Exploited (CVE-2024-21888, CVE-2024-21893)

[Update] March 1, 2024: “CISA and Partners Issued Joint Advisory on Exploitation of Ivanti Vulnerabilities (CVE-2023-46805, CVE-2024-21887, CVE-2024-21893)”

[Update] February 29, 2024: “UNC5325 and UNC3886 Exploit Ivanti Connect Secure VPN Vulnerabilities to Deploy Malware”

[Update] February 13, 2024: “Ivanti’s CVE-2024-21893 Exploited to Install the New DSLog Backdoor on Nearly 700 Assets”

[Update] February 6, 2024: “Increased Exploitation Attempts Targeting CVE-2024-21893 in Ivanti”

Ivanti has disclosed that as part of their ongoing investigation into previous Ivanti Connect Secure vulnerabilities, they discovered two new vulnerabilities.

The Cybersecurity and Infrastructure Security Agency (CISA) has already added one of these vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, demanding Federal Civilian Executive Branch (FCEB) agencies to remediate it by the near deadline of February 2, 2024.

Details of the Newest Ivanti Vulnerabilities (CVE-2024-21888 and CVE-2024-21893)

The vulnerabilities with high severity ratings are identified as CVE-2024-21888 and CVE-2024-21893. Both vulnerabilities affect all supported versions, 9.x and 22.x. See their details below:

CVE-2024-21888 (CVSS score: 8.8): A Privilege Escalation vulnerability in the web component of Ivanti Connect Secure and Ivanti Policy Secure. It could enable a user to gain administrative privileges.

Vulnerability intel card for CVE-2024-21888 (SOCRadar Vulnerability Intelligence), Ivanti

Vulnerability intel card for CVE-2024-21888 (SOCRadar Vulnerability Intelligence)

CVE-2024-21893 (CVSS score: 8.2): A Server-Side Request Forgery (SSRF) vulnerability in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA. It could enable an attacker to gain access to some restricted resources without authentication.

Vulnerability intel card for CVE-2024-21893 (SOCRadar Vulnerability Intelligence), ivanti

Vulnerability intel card for CVE-2024-21893 (SOCRadar Vulnerability Intelligence)

You can easily access vulnerability information and updates through SOCRadar. The platform provides comprehensive Vulnerability Intelligence that includes the most recent updates on known vulnerabilities, such as available exploits, repositories, exploitability risks, and hacker trends.

SOCRadar's Vulnerability Intelligence

SOCRadar’s Vulnerability Intelligence

Are Patches Available for the New Vulnerabilities?

Ivanti made the patches accessible via the standard download portal. Patches are currently available for the following versions:

Ivanti Connect Secure: 

  • 9.1R14.4
  • 9.1R17.2
  • 9.1R18.3
  • 22.4R2.2
  • 22.5R1.1

ZTA:

  • 22.6R1.3

According to the company, the remaining supported versions will be patched on a staggered schedule, and a new mitigation is also available for download.

“CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893 can be mitigated by importing mitigation.release.20240126.5.xml file via the download portal.” 

Refer to the official advisory for further details.

Exploitation of CVE-2024-21893: Ivanti Expects a Surge in Attacker Activity

At the time of the disclosure, Ivanti stated that there was no evidence of CVE-2024-21888 affecting customers, whereas CVE-2024-21893 did affect a limited number of customers.

Ivanti also stated that the exploitation of CVE-2024-21893 appears to be deliberate. Once the details of the vulnerability are made public, the company expects the exploitation attempts to increase. In the meantime, CISA has added CVE-2024-21893 to its KEV Catalog to warn agencies about exploitation and urge them to remediate it.

With SOCRadar’s Attack Surface Management module, you can monitor digital assets and identify vulnerabilities that are affecting your organization. Additionally, ASM’s Company Vulnerabilities page includes a CISA KEV Check feature that allows you to quickly identify KEV Catalog-listed vulnerabilities that affect your systems.

SOCRadar Attack Surface Management/Company Vulnerabilities.

SOCRadar Attack Surface Management/Company Vulnerabilities

CISA Alert and Patches for the Ivanti Connect Secure Zero-Day Vulnerabilities

In addition to the public disclosure of the new vulnerabilities, the company has released fixes for the zero-day vulnerabilities CVE-2023-46805 and CVE-2024-21887, which affect Connect Secure. The most recent updates on these vulnerabilities also include a CISA alert about threat actors developing workarounds for previous mitigations and their exploitation to deploy KrustyLoader malware.

The aforementioned CISA alert was most recently updated to include the new vulnerabilities, CVE-2024-21888 and CVE-2024-21893, and direct organizations to apply updates or mitigation for affected versions.

You can find more information about zero-day vulnerabilities in our other blog post: Attackers Exploit Ivanti Connect Secure Zero-Day Vulnerabilities to Deploy Webshells (CVE-2023-46805, CVE-2024-21887).

Increased Exploitation Attempts Targeting CVE-2024-21893 in Ivanti

Exploitation attempts surge, confirming Ivanti’s previous speculations – threat actors are actively exploiting the latest Ivanti SSRF vulnerability, CVE-2024-21893. Shadowserver reports that they observed at least 170 different IP addresses attempting to exploit the vulnerability.

Exploitation attempts by Ivanti CVEs (Shadowserver)

Exploitation attempts by Ivanti CVEs (Shadowserver)

Additionally, it is stated that the attackers employed similar methods mentioned in the Proof-of-Concept (PoC) exploit by Rapid7, just prior to its release.

Tweet by Shadowserver (X)

Tweet by Shadowserver (X)

Ivanti’s CVE-2024-21893 Exploited to Install the New DSLog Backdoor on Nearly 700 Assets

While prior reports detailed exploitation attempts against the CVE-2024-21893 vulnerability, recent findings indicate that threat actors are deploying the DSLog backdoor to execute remote commands on compromised Ivanti servers.

The discovery of this new backdoor emerged on February 3, 2024, during the analysis of a compromised appliance. Although the appliance had Ivanti’s initial XML mitigation in place, which blocks all API endpoints, it lacked the second mitigation or patch.

How Did Attackers Inject the Backdoor?

It was discovered that attackers injected a backdoor into a component of the Ivanti

appliance using the CVE-2024-21893 vulnerability, ensuring persistent remote access.

Researchers examined a compromised Ivanti device snapshot and logs and found that attackers injected the backdoor into the appliance’s code base through SAML authentication requests containing encoded commands.

According to the researchers, attackers modified an existing Perl file named ‘DSLog.pm’, a legitimate logging module for authenticated web requests and system logs, and inserted the backdoor.

The commands in the requests indicated the attacker’s intent to conduct internal reconnaissance and confirm root access by performing tasks such as writing system information to a publicly accessible file (index2.txt).

Subsequent SAML requests sought to secure read/write filesystem permissions, detect changes to the legitimate logging script (DSLog.pm), and inject the backdoor if the expected modification string was not present.

The attackers used SHA256 hashes unique to the contacted device as API keys, as required by the HTTP User-Agent header for command execution. Because each hash is unique, it cannot be used to access another device’s backdoor. The method utilized to calculate the SHA256 hashes remains undetermined.

About the DSLog Backdoor

The DSLog backdoor is reported to be able to execute any command on the compromised device, with root privileges. The attackers embed these commands in a query parameter named ‘cdi’ and send them via HTTP requests.

Each HTTP request contains a unique SHA256 hash per targeted device, which is used to authenticate the request to the backdoor. The researchers point out that the webshell does not provide any status or code when contacted, making the backdoor exceptionally discreet in its operations.

Researchers assert that the commands issued by the attackers via the backdoor can be identified within the Ivanti access logs (log.localhostX-DAY-YEAR-XX-XX_XX_XX_XX-(XXX).access), appearing as hex-encoded values; however, the attacker deleted these access logs on several compromised devices in order to hide malicious activity.

Regardless of the challenges, at least 670 compromised Ivanti servers were discovered by examining other files like ‘index.txt’, ‘index1.txt’, and ‘index2.txt’ in the ‘hxxp://{ip}/dana-na/imgs/’ directory.

UNC5325 and UNC3886 Exploit Ivanti Connect Secure VPN Vulnerabilities to Deploy Malware

Amid recent cybersecurity findings, researchers have unveiled significant developments concerning cyber espionage activities linked to China. Two threat groups, UNC5325 and UNC3886, have emerged as key players in exploiting vulnerabilities within Ivanti Connect Secure VPN appliances.

UNC5325, identified as a sophisticated Chinese threat actor, has capitalized on the CVE-2024-21893 vulnerability to infiltrate Ivanti appliances. This exploit has facilitated the deployment of a suite of new malware strains, including LittleLamb.WoolTeaPitStopPitdogPitJet, and PitHook. Notably, researchers suggest a connection between UNC5325 and UNC3886, citing code similarities between their malware variants.

In tandem with its cyber operations, UNC3886 has a history of exploiting zero-day flaws in various platforms, such as Fortinet and VMware solutions, to implant malicious software like VirtualPita, VirtualPie, ThinCrust, and CastleTap. The primary targets of UNC3886 have been entities within the defense industrial base, technology, and telecommunication sectors in the United States and Asia-Pacific regions.

The recent surge in cyberattacks has underscored the critical importance of addressing vulnerabilities promptly. UNC5325’s exploitation of CVE-2024-21893, which dates back to January 19, 2024, highlights the urgency of maintaining up-to-date security protocols. By combining CVE-2024-21893 with a previously disclosed command injection vulnerability (CVE-2024-21887), UNC5325 bypassed Ivanti appliances’ defenses, paving the way for the deployment of sophisticated malware like BushWalk.

Vulnerability intel card for CVE-2024-21887 (SOCRadar Vulnerability Intelligence)

Vulnerability intel card for CVE-2024-21887 (SOCRadar Vulnerability Intelligence)

To evade detection, UNC5325 has leveraged legitimate Ivanti components, particularly SparkGateway plugins, to introduce additional malicious payloads. One such plugin, PitFuel, attempted to load the malicious shared object LittleLamb.WoolTea, enabling persistent access across system upgrades and patches. Despite these efforts, the malware’s inability to adapt to encryption key mismatches has thwarted persistent access attempts.

UNC5325’s tactics underscore the evolving nature of cyber threats, with adversaries demonstrating a keen understanding of network infrastructure and employing sophisticated techniques to circumvent detection. Researchers predict a continued reliance on zero-day vulnerabilities and tailored malware by Chinese espionage actors, emphasizing the need for proactive security measures and ongoing vigilance.

CISA and Partners Issued Joint Advisory on Exploitation of Ivanti Vulnerabilities (CVE-2023-46805, CVE-2024-21887, CVE-2024-21893)

CISA, FBI, and international partners have issued a joint advisory in response to the exploitation of vulnerabilities found in Ivanti Connect Secure and Policy Secure Gateways.

The advisory outlines cyber attacks exploiting CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. It includes Indicators of Compromise (IOCs), detection methods, and guidance for organizations to mitigate these vulnerabilities.

CISA’s alert: Actions to take today to mitigate cyber threats against Ivanti appliances

CISA’s alert: Actions to take today to mitigate cyber threats against Ivanti appliances

The advisory highlights two significant findings: First, the Ivanti Integrity Checker Tool (ICT) may fail to detect compromise due to threat actors’ ability to deceive it. Second, despite victims performing factory resets on Ivanti devices, threat actors may still achieve root-level persistence.

The advisory emphasizes the failure of ICT scans in detecting previous compromises, stating that they lead to a false sense of security.

In observed cases, threat actors exploited the CVEs to gain initial access, implant web shells, and harvest stored credentials. After compromising the systems, the threat actors moved laterally into domain environments, utilizing native tools like freerdp, ssh, telnet, and nmap libraries to extend their reach. Some incidents resulted in complete domain compromises.

In incident response investigations, CISA found that Ivanti’s internal and external ICTs failed to detect compromises because web shells discovered on systems lacked detectable file mismatches. Additionally, forensic analysis revealed that threat actors covered their tracks by overwriting files, time-stomping files, and remounting the runtime partition to restore the appliance to a clean state.

In light of these findings, the authoring organizations stress the importance of vigilance and advise network defenders to take several proactive measures:

  • Assume that user and service account credentials stored within affected Ivanti VPN appliances are compromised.
  • Conduct thorough hunts for malicious activity on their networks using the detection methods and IOCs provided in the advisory.
  • Run the latest version of Ivanti’s external ICT.
  • Apply available patching guidance from Ivanti as new versions are released.
  • Upon detection of a potential compromise, gather and analyze logs and artifacts for malicious activity and follow the incident response recommendations in the advisory.