A recently disclosed server-side request forgery (SSRF) vulnerability affecting Ivanti Connect Secure and Policy Secure products has been subjected to mass exploitation.
The Shadowserver Foundation She said observed exploitation attempts from more than 170 unique IP addresses aiming, among other things, to establish a reverse shell.
The attacks exploit CVE-2024-21893 (CVSS score: 8.2), an SSRF flaw in the SAML component of Ivanti Connect Secure, Policy Secure, and Neurons for ZTA that allows an attacker to access otherwise restricted resources without authentication.
Ivanti had previously disclosed that the vulnerability had been exploited in targeted attacks targeting a “limited number of customers”, but warned that the status quo could change following the public disclosure.
This is exactly what appears to have happened, especially after the release of a proof-of-concept (PoC) exploit by cybersecurity firm Rapid7 last week.
The PoC involves creating an exploit chain that combines CVE-2024-21893 with CVE-2024-21887, a previously fixed command injection flaw, to achieve unauthenticated remote code execution.
It is worth noting here that CVE-2024-21893 is an alias for CVE-2023-36661 (CVSS score: 7.5), an SSRF vulnerability present in the Shibboleth XMLTooling open source library. The issue was resolved by the maintainers in June 2023 with the release of version 3.2.4.
Security researcher Will Dormann further reported other outdated open source components used by Ivanti VPN equipment, such as curl 7.19.7, openssl 1.0.2n-fips, perl 5.6.1, psql 9.6.14, cabextract 0.5, ssh 5.3p1, and unzip 6.00, thus opening the door to further attacks.
The development comes as threat actors have found a way to bypass Ivanti’s initial mitigation, prompting the Utah-based company to release a second mitigation file. Starting February 1, 2024, it started releasing official patches to fix all vulnerabilities.
Last week, Google-owned Mandiant revealed that multiple threat actors are exploiting CVE-2023-46805 and CVE-2024-21887 to implement a number of tracked custom web shells such as BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE.
Palo Alto Networks Unit 42 said it observed 28,474 exposed cases of Ivanti Connect Secure and Policy Secure in 145 countries between January 26 and 30, 2024, with 610 compromised cases detected in 44 countries as of January 23, 2024.
The continued exploitation of Ivanti’s flaws also prompted the European Union, together with CERT-EU, ENISA and Europol, to publish a joint notice calling on organizations in the bloc to follow the guidance provided by the vendor to mitigate potential risks.