DIVD-2024-00001 - Auth. Bypass and Command Injection in Ivanti VPN appliance

Our reference DIVD-2024-00001
Case lead Lennaert Oudshoorn
Author Max van der Horst
Researcher(s)
CVE(s)
Products
  • Ivanti Connect Secure
  • Ivanti Policy Secure
Versions
  • All supported versions
Recommendation While the patch is under development, apply Ivanti’s mitigation, or take the appliance offline.
Patch status Under development
Workaround Import the mitigation file mitigation.release.20240107.1.xml provided by Ivanti in the download portal or take the device offline.
Status Open
Last modified 10 Apr 2024 21:52

Summary

An authentication bypass and a command injection vulnerability were discovered in Ivanti Connect Secure and Ivanti Policy Secure, it is present in all supported versions. Multiple sources report active exploitation by threat actors, making immediate mitigation necessary. By combining these two vulnerabilities, threat actors are able to take complete control of the underlying system. Ivanti does not yet have a patch, which is expected to be released in the week of January 22nd. In the meantime, a mitigation is provided that can be downloaded in the Ivanti download portal.

What you can do

Given that there is active exploitation, it is crucial the provided mitigation is applied as soon as possible or that the appliance is take offline until mitigations are available. It is also recommended to check the appliance for signs of previous exploitation. The mitigation can be applied by downloading and importing mitigation.release.20240107.1.xml from the Ivanti download portal. Additionally, Volexity (see references) provided detection rules to monitor for exploitation. The patch is expected to be released in the week of January 22nd.

What we are doing

DIVD is currently working to identify vulnerable instances and notify the owners of these systems. We do this by scanning for exposed Ivanti Connect Secure and Policy Secure instances, and by using a de-weaponized exploit to confirm that the authentication bypass vulnerability is present and exploitable on the device. Owners of vulnerable instances, or those responsible for the network they are in, will receive a notification with the host information and mitigation steps.

Timeline

Date Description
10 Jan 2024 DIVD receives signals about a vulnerability in Ivanti Pulse Connect and starts fingerprinting.
10 Jan 2024 Advisory published, DIVD starts scanning for vulnerable instances. Based on lack of mitigation.
10 Jan 2024 Case opened, first version of this casefile.
17 Jan 2024 Scanning with new method that exploits authentication bypass.
gantt title DIVD-2024-00001 - Auth. Bypass and Command Injection in Ivanti VPN appliance dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2024-00001 - Auth. Bypass and Command Injection in Ivanti VPN appliance (still open) :2024-01-10, 2024-05-02 section Events DIVD receives signals about a vulnerability in Ivanti Pulse Connect and starts fingerprinting. : milestone, 2024-01-10, 0d Advisory published, DIVD starts scanning for vulnerable instances. Based on lack of mitigation. : milestone, 2024-01-10, 0d Case opened, first version of this casefile. : milestone, 2024-01-10, 0d Scanning with new method that exploits authentication bypass. : milestone, 2024-01-17, 0d

More information