Mass Exploitation of SSRF Vulnerability in Ivanti Products
A significant server-side request forgery (SSRF) vulnerability affecting Ivanti Connect Secure and Policy Secure products has been widely exploited. Recent reports indicate that attacks are emanating from over 170 distinct IP addresses, indicating a coordinated effort to establish unauthorized access, including reverse shells.
The flaw, identified as CVE-2024-21893, carries a CVSS score of 8.2 and resides within the Security Assertion Markup Language (SAML) component of Ivanti’s offerings. This vulnerability enables attackers to access restricted resources without the necessity for authentication. Previously, Ivanti disclosed that the vulnerability had been leveraged in targeted operations against a limited number of clients; however, the landscape has dramatically shifted following public awareness of the issue.
This uptick in exploitation seems to have been exacerbated by the recent release of a proof-of-concept (PoC) exploit by cybersecurity firm Rapid7. The PoC demonstrates how an attacker could combine CVE-2024-21893 with another vulnerability, CVE-2024-21887, a command injection weakness previously patched, to execute unauthorized remote code. It is essential to note that CVE-2024-21893 is also connected to CVE-2023-36661, another SSRF vulnerability linked to the open-source Shibboleth XMLTooling library, patched in June 2023.
Expert observations have highlighted other outdated open-source components within Ivanti’s VPN appliances. Notable vulnerabilities include older versions of curl, OpenSSL, Perl, and others. The presence of these outdated components increases the attack surface, allowing threat actors to exploit weaknesses beyond the highlighted SSRF vulnerabilities.
In response to the ongoing attacks, Ivanti has acknowledged that previous mitigation strategies were circumvented, leading to the release of additional protective updates and an official patch as of February 1, 2024. This patch aims to address all identified vulnerabilities and enhance the overall security posture of their products.
Recent intelligence from cybersecurity experts at Mandiant indicates that various threat actors are particularly focused on utilizing CVE-2023-46805 and the aforementioned CVE-2024-21887, deploying custom web shells such as BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE. Palo Alto Networks’ Unit 42 has also reported alarming statistics, with nearly 29,000 exposed instances of Ivanti Connect Secure and Policy Secure detected across 145 countries, illustrating the widespread nature of the exploitation.
The urgency surrounding these vulnerabilities has not gone unnoticed at the governmental level. The European Union, in conjunction with CERT-EU, ENISA, and Europol, has issued a joint advisory encouraging organizations to adhere to mitigation guidance provided by Ivanti to reduce potential exposure.
The current exploitation landscape emphasizes the need for businesses to remain vigilant, regularly updating their systems and adhering to best practices in vulnerability management to safeguard against these ongoing threats. The tactics and techniques used in these attacks align with several MITRE ATT&CK categories, including initial access through exploitation of software vulnerabilities, execution via remote code execution, and persistence through maintaining access via various web shell techniques. As the situation continues to evolve, organizations must prioritize cybersecurity resilience.
