CVE-2024-21887 and CVE-2023-46805: Actively Exploited Vulnerabilities in Ivanti Secure Products Chained Together to Achieve Unauthenticated RCE

Share :

In mid-December 2023, Volexity observed UTA0178–a potential Chinese nation-state threat actor–leveraging two zero-day vulnerabilities in Ivanti Connect Secure (formerly known as Pulse Connect Secure) VPN appliances to steal configuration data, modify and download files, establish a reverse tunnel, and ultimately place webshells (GLASSTOKEN) on multiple internal and external-facing web servers. The two vulnerabilities, CVE-2023-46805 and CVE-2024-21887, were chained together to achieve unauthenticated remote code execution (RCE) on the impacted appliances and enable follow-on activity.  

CVE-2024-21887  CVSS: 9.1 – Critical  Actively Exploited 
Command Injection – Vulnerability in the web component that could allow an authenticated threat actor to send specially crafted requests and execute arbitrary commands on the vulnerable appliance. 
CVE-2023-46805  CVSS: 8.2 – High  Actively Exploited 
Authentication Bypass – Vulnerability in the web components that could allow a remote threat actor to access the vulnerable appliance by bypassing control checks.  

 

When chained together, the vulnerabilities allowed the threat actors to run commands on the system and ultimately gain access to other systems on the network. Volexity largely observed reconnaissance and exploration of the network by UTA0178, outside of the deployment of webshells. Ivanti is currently aware of less than 10 customers impacted by the active exploitation of these vulnerabilities.  

Note: Although active exploitation was observed on Ivanti Connect Secure appliances, the two vulnerabilities also impact all supported versions of Ivanti Policy Secure Gateways.  

Recommendations for CVE-2024-21887 and CVE-2023-46805

Apply Ivanti’s Provided Workaround and run the External Integrity Checker

Currently, Ivanti does not have patches available to remediate the two vulnerabilities; Ivanti will be releasing the patches in a staggered schedule beginning the week of January 22nd. A complete patch availability timeline can be found in Ivanti’s security advisory 

We strongly recommend importing Ivanti’s mitigation.release.20240107.1.xml file via the download portal (login required) until Ivanti releases patches for your organization’s specific version. Directions on how to apply or remove the XMF file can be found here (login required). 

Additionally, run the external integrity checker (ICT) to obtain a snapshot of the current state of your Ivanti appliance. This snapshot could be used to identify malicious files that may have been placed on a compromised Ivanti appliance.  

References 

Steven Campbell

Steven Campbell

Steven Campbell is a Senior Threat Intelligence Researcher at Arctic Wolf Labs and has more than eight years of experience in intelligence analysis and security research. He has a strong background in infrastructure analysis and adversary tradecraft.
Share :
Table of Contents
Categories
Subscribe to our Monthly Newsletter