In recent cybersecurity developments, a critical server-side request forgery (SSRF) vulnerability, identified as CVE-2024-21893, has emerged as a significant threat. This vulnerability affects Ivanti Connect Secure and Policy Secure products, and its exploitation has raised substantial concerns within the cybersecurity community.
The Exploitation Landscape
The Shadowserver Foundation has reported a surge in exploitation attempts, originating from over 170 distinct IP addresses. These attempts are specifically targeting the CVE-2024-21893 vulnerability, with the goal of establishing unauthorized access, including the deployment of a reverse shell.
CVE-2024-21893 Overview
The exploit capitalizes on CVE-2024-21893, an SSRF flaw within the Security Assertion Markup Language (SAML) component of Ivanti’s products. This flaw enables attackers to gain access to restricted resources without proper authentication. Initially acknowledged by Ivanti, targeted attacks were reported on a limited number of customers before the details became publicly disclosed.
The situation escalated with the release of a proof-of-concept (PoC) exploit by cybersecurity firm Rapid7. The PoC combines CVE-2024-21893 with CVE-2024-21887, a previously patched command injection flaw. This combination facilitates unauthenticated remote code execution, adding another layer of severity to the ongoing threat.
Additional Risk Factors
Security researcher Will Dormann has highlighted that CVE-2024-21893 is an SSRF vulnerability in the open-source Shibboleth XMLTooling library, which was resolved in June 2023. Dormann also pointed out outdated open-source components used by Ivanti VPN appliances, further complicating the risk landscape.
Ivanti’s Response and Mitigation Measures
In response to the evolving threats, Ivanti has taken decisive actions. The company released a second mitigation file and initiated the distribution of official patches as of February 1, 2024, to address all identified vulnerabilities associated with the SSRF exploit.
Alarming Global Exposure and Threat Actor Activities
Reports from Google-owned Mandiant have unveiled threat actors’ exploitation of CVE-2023-46805 and CVE-2024-21887. These exploits have been used to deploy various custom web shells, including BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE.
Palo Alto Networks Unit 42’s findings have exposed a concerning global exposure, with 28,474 instances of Ivanti Connect Secure and Policy Secure detected in 145 countries between January 26 and 30, 2024. Additionally, 610 compromised instances were identified across 44 countries as of January 23, 2024.
Urgent Recommendations and Best Practices
The surge in exploitation underscores the critical need for organizations to take immediate action:
- Apply Patches Promptly: Organizations using Ivanti Connect Secure and Policy Secure products should apply official patches without delay to mitigate the risk posed by the vulnerabilities.
- Implement Strict Security Measures: Strengthen security measures, including robust access controls, network segmentation, and monitoring to detect and respond to any suspicious activities.
- Stay Informed: Regularly monitor cybersecurity advisories and stay informed about emerging threats and vulnerabilities affecting the deployed software and systems.
- Conduct Security Audits: Regularly conduct security audits to identify and address potential vulnerabilities within the organization’s IT infrastructure.
- Educate Personnel: Train employees on cybersecurity best practices, including recognizing and reporting suspicious activities and being cautious with external communications.
By following these urgent recommendations and best practices, organizations can enhance their cybersecurity posture and mitigate the risks associated with the ongoing exploitation of the Ivanti vulnerabilities. Vigilance, proactive measures, and prompt responses are paramount in the face of evolving cybersecurity threats.
