Post Syndicated from Caitlin Condon original https://blog.rapid7.com/2024/01/11/etr-zero-day-exploitation-of-ivanti-connect-secure-and-policy-secure-gateways/

On Wednesday, January 10, 2024, Ivanti disclosed two zero-day vulnerabilities affecting their Ivanti Connect Secure and Ivanti Policy Secure gateways. Security firm Volexity, who discovered the vulnerabilities, also published a blog with information on indicators of compromise and attacker behavior observed in the wild. In an attack Volexity investigated in December 2023, the two vulnerabilities were chained to gain initial access, deploy webshells, backdoor legitimate files, capture credentials and configuration data, and pivot further into the victim environment.

The two vulnerabilities in the advisory are:

• CVE-2023-46805, an authentication bypass vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure that allows a remote attacker to access restricted resources by bypassing control checks.
• CVE-2024-21887, a critical command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure that allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. This vulnerability can be exploited over the internet

Rapid7 urges customers who use Ivanti Connect Secure or Policy Secure in their environments to take immediate steps to apply the workaround and look for indicators of compromise. Volexity have released an extensive description of the attack and indicators of compromise — we strongly recommend reviewing their blog, which includes the information below:

“Volexity observed the attacker modifying legitimate ICS components and making changes to the system to evade the ICS Integrity Checker Tool. Notably, Volexity observed the attacker backdooring a legitimate CGI file (compcheck.cgi) on the ICS VPN appliance to allow command execution. Further, the attacker also modified a JavaScript file used by the Web SSL VPN component of the device in order to keylog and exfiltrate credentials for users logging into it. The information and credentials collected by the attacker allowed them to pivot to a handful of systems internally, and ultimately gain unfettered access to systems on the network.”

Ivanti Connect Secure, previously known as Pulse Connect Secure, is a security appliance that has been targeted in a range of threat campaigns in recent years. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also released a bulletin on January 10, 2024 urging Ivanti Connect Secure and Ivanti Policy Secure users to mitigate the two vulnerabilities immediately.

Counts of internet-exposed appliances vary widely depending on the query used. The following Shodan query identifies roughly 7K devices on the public internet, while looking for Ivanti’s welcome page alone more than doubles that number (but reduces accuracy): http.favicon.hash:-1439222863 html:"welcome.cgi?p=logo. Rapid7 Labs has observed scanning activity targeting our honeypots that emulate Ivanti Connect Secure appliances.

Mitigation guidance

All supported versions (9.x and 22.x) of Ivanti Connect Secure and Ivanti Policy Secure are vulnerable to CVE-2023-46805 and CVE-2024-21887.  Ivanti’s advisory notes that a workaround is available for CVE-2023-46805 and CVE-2024-21887. Ivanti Connect Secure and Ivanti Policy Secure customers should apply the vendor-supplied workaround immediately and investigate their environments for signs of compromise. Ivanti advises customers using unsupported versions of the product to upgrade to a supported version before applying the workaround.

Ivanti has indicated that patches will be released in a staggered schedule between January 22 and February 19, 2024 — target patch timelines can be found here.

Per Ivanti’s advisory and KB article, “Ivanti Neurons for ZTA gateways cannot be exploited when in production. If a gateway for this solution is generated and left unconnected to a ZTA controller, then there is a risk of exploitation on the generated gateway. Ivanti Neurons for Secure Access is not vulnerable to these CVEs; however, the gateways being managed are independently vulnerable to these CVEs.”

Note: Volexity indicated that adversaries have been observed wiping logs and/or disabling logging on target devices. Administrators should ensure logging is enabled. Ivanti has a built-in integrity checker tool (ICT) that verifies the image on Ivanti Connect Secure and Ivanti Policy Secure appliances and looks for modified files. Ivanti is advising customers to use the external version of this tool to check the integrity of the ICS/IPS images, since Ivanti has seen adversaries “attempting to manipulate” the internal integrity checker tool.

Rapid7 customers

Our engineering team is investigating options for InsightVM and Nexpose coverage for these vulnerabilities. We will provide an update to this blog no later than 3 PM EST on Thursday, January 11, 2024.