ExtraHop released a Threat Briefing in its Reveal(x) network detection and response (NDR) platform for two critical vulnerabilities in the Ivanti Connect Secure VPN and the Ivanti Policy Secure gateway: CVE-2023-46805 and CVE-2024-21887.
The Threat Briefing for Ivanti Connect Secure and Policy Secure Critical Vulnerabilities provides customers with a preconfigured device query they can use to identify potentially vulnerable Ivanti Connect Secure devices on their networks. It also includes a preconfigured records query that can help customers determine whether threat actors may have attempted to exploit CVE-2023-46805 on their Connect Secure VPN devices. The records query works by calling up HTTP requests that include a path traversal fragment (/api/v1/totp/user-backup-code/../../) associated with exploit attempts of CVE-2023-46805.
The Threat Briefing for Ivanti Connect Secure and Policy Secure Critical Vulnerabilities will be updated when detection coverage information is available. In the meantime, ExtraHop customers can also use Reveal(x) to identify downstream activities associated with exploitation of these critical vulnerabilities, including suspicious inbound and outbound connections to and from the IP addresses of affected Ivanti devices, remote service launch, lateral movement, and use of living off the land binaries and scripts.
High Severity Vulnerabilities
CVE-2023-46805 is an authentication bypass vulnerability in the web component of all supported versions of Ivanti Connect Secure (versions 9.x and 22.x). A high severity vulnerability, CVE-2023-46805 has a CVSS score of 8.2.
Considered critical with a CVSS score of 9.1, CVE-2024-21887 is a command injection vulnerability in the web components of Ivanti Connect Secure 9.x and 22.x.
When combined, these exploits allow an attacker to first bypass the authentication controls on the device, then run commands remotely on the compromised gateway. An attacker can then pivot from the compromised VPN device to launch additional attacks on an organization’s network.
Ivanti will begin releasing patches for these vulnerabilities today. In the meantime, Ivanti urges Connect Secure and Policy Secure users to import the mitigation.release.20240107.1.xml file from their download portal as a temporary workaround. Refer to this Ivanti knowledgebase article for patch release dates and additional information about the workaround. ExtraHop urges customers using both Ivanti Connect Secure and Policy Secure in their environments to run the Threat Briefing and hunt for signs of attack, including the path traversal fragment /api/v1/totp/user-backup-code/../../, suspicious inbound and outbound connections to and from Ivanti devices, remote code execution, and lateral movement.
Suspected Nation-State Activity
With Ivanti Connect Secure VPNs deployed across tens of thousands of organizations, threat actors have been actively exploiting these vulnerabilities, according to Palo Alto Networks Unit 42 and Volexity. Volexity attributed one attack in which these vulnerabilities were exploited to a suspected Chinese nation-state threat actor it tracks as UTA0178. Organizations being targeted in similar attacks span government, defense, telecommunications, technology, financial services, and consulting sectors globally.
To date, the earliest known exploitation of these vulnerabilities appears to have occurred in early December 2023. After using these vulnerabilities to gain access to and take control of the Ivanti VPN, Volexity reported that the threat actor took a number of actions, including: disabling device logging, stealing device configuration data, changing the Internet Connect Secure (ICS) system to evade its internal integrity checker, downloading attacker tools, installing a legitimate CGI file (compcheckresult.cgi) as a backdoor on the ICS VPN to allow command execution, modifying a JavaScript file used by the Web SSL VPN component of the device to capture and exfiltrate the credentials of users logging into the VPN, which then allowed the threat actor to move laterally and pivot to other systems, and more.
Network Traffic Analysis Essential to Early Detection
Given that attacks leveraging these vulnerabilities circumvent perimeter security tools and go to lengths to evade SIEM and endpoint detection, the best way to hunt for them is on the network, using Reveal(x).
No matter how covertly threat actors may try to operate–whether by bypassing authentication controls, deleting logs, disabling other controls, or using living off the land binaries and scripts–they can’t evade the network. Using Reveal(x), organizations can see if they have vulnerable Ivanti devices that need to be patched, and they can look back into 90 days worth of network records to search for signs of exploitation attempts and other suspicious behaviors associated with these attacks.