A critical server-side request forgery (SSRF) vulnerability, identified as CVE-2024-21893, has recently been exploited at an alarming scale in Ivanti Connect Secure and Policy Secure products. This vulnerability has raised significant concerns within the cybersecurity community due to the mass exploitation attempts and the potential for unauthorized access, including the establishment of a reverse shell.
Details of CVE-2024-21893 Exploitation
The exploit specifically targets CVE-2024-21893, an SSRF flaw within the Security Assertion Markup Language (SAML) component of Ivanti’s products. This vulnerability allows attackers to access restricted resources without authentication. The Shadowserver Foundation reported a surge in exploitation attempts originating from over 170 distinct IP addresses, emphasizing the severity of the situation.
Notably, cybersecurity firm Rapid7 released a proof-of-concept (PoC) exploit that combines CVE-2024-21893 with CVE-2024-21887, a previously patched command injection flaw. This combination facilitates unauthenticated remote code execution, escalating the risks associated with the vulnerability.
Exploitation Landscape and Risks
The situation is exacerbated by the utilization of outdated open-source components within Ivanti VPN appliances, as highlighted by security researcher Will Dormann. The exploited SSRF vulnerability (CVE-2024-21893) is associated with the open-source Shibboleth XMLTooling library, which was resolved in June 2023.
Threat actors have been quick to capitalize on the situation, with reports from Google-owned Mandiant revealing the exploitation of CVE-2023-46805 and CVE-2024-21887. These exploits have been used to deploy various custom web shells, including BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE.
Global Exposure and Response
Palo Alto Networks Unit 42’s findings indicate a concerning global exposure, with 28,474 instances of Ivanti Connect Secure and Policy Secure detected in 145 countries between January 26 and 30, 2024. Furthermore, 610 compromised instances were identified across 44 countries as of January 23, 2024.
In response to the escalating threats, Ivanti has taken measures to address the vulnerabilities. They released a second mitigation file and initiated the distribution of official patches as of February 1, 2024. Organizations are urged to promptly apply these patches and implement stringent security measures to mitigate the risks posed by such vulnerabilities and PoC exploits.
Best Practices for Prevention
To prevent future infections and secure systems, organizations should adopt the following best practices:
- Apply Patches Promptly: Regularly update and apply security patches provided by software vendors to address known vulnerabilities.
- Continuous Monitoring: Implement continuous monitoring for suspicious activities and potential security threats within the network.
- Security Awareness Training: Conduct regular security awareness training for employees to recognize and report potential threats.
- Network Segmentation: Employ network segmentation to limit the impact of potential breaches and isolate critical systems.
- Utilize Advanced Threat Intelligence: Leverage advanced threat intelligence to stay informed about emerging threats and vulnerabilities.
By adhering to these best practices, organizations can enhance their cybersecurity posture and reduce the risk of falling victim to exploits targeting critical vulnerabilities like CVE-2024-21893 in Ivanti products. Vigilance, proactive security measures, and timely responses are essential in today’s evolving threat landscape.
