A lately disclosed server-facet request forgery (SSRF) vulnerability impacting Ivanti Connect Secure and Plan Protected products and solutions has come less than mass exploitation.
The Shadowserver Foundation said it noticed exploitation tries originating from far more than 170 special IP addresses that intention to create a reverse shell, between other people.
The assaults exploit CVE-2024-21893 (CVSS score: 8.2), an SSRF flaw in the SAML part of Ivanti Hook up Protected, Policy Secure, and Neurons for ZTA that permits an attacker to entry in any other case restricted means without authentication.
Ivanti had previously divulged that the vulnerability had been exploited in qualified assaults aimed at a “limited variety of clients,” but cautioned the standing quo could transform put up public disclosure.
Which is specifically what seems to have took place, specifically subsequent the launch of a proof-of-principle (PoC) exploit by cybersecurity company Swift7 very last week.
The PoC involves fashioning an exploit chain that combines CVE-2024-21893 with CVE-2024-21887, a previously patched command injection flaw, to obtain unauthenticated distant code execution.
It really is really worth noting right here that CVE-2024-21893 is an alias for CVE-2023-36661 (CVSS score: 7.5), an SSRF vulnerability present in the open-resource Shibboleth XMLTooling library. It was fastened by the maintainers in June 2023 with the release of edition 3.2.4.
Security researcher Will Dormann further more pointed out other out-of-date open-supply components applied by Ivanti VPN appliances, this kind of as curl 7.19.7, openssl 1..2n-fips, perl 5.6.1, psql 9.6.14, cabextract .5, ssh 5.3p1, and unzip 6.00, thus opening the doorway for extra attacks.
The advancement arrives as menace actors have uncovered a way to bypass Ivanti’s first mitigation, prompting the Utah-based mostly corporation to release a second mitigation file. As of February 1, 2024, it has started releasing official patches to tackle all the vulnerabilities.
Previous week, Google-owned Mandiant exposed that a number of danger actors are leveraging CVE-2023-46805 and CVE-2024-21887 to deploy an array of custom web shells tracked as BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE.
Palo Alto Networks Device 42 mentioned it noticed 28,474 exposed cases of Ivanti Join Protected and Policy Protected in 145 countries in between January 26 and 30, 2024, with 610 compromised occasions detected in 44 countries as of January 23, 2024.
Discovered this article appealing? Comply with us on Twitter and LinkedIn to study more exceptional articles we submit.
Some parts of this article are sourced from:
thehackernews.com