Mass Exploitation of SSRF Flaw in Ivanti VPN Products (CVE-2024-21893)

Bar Refael

February 7, 2024

A server-side request forgery (SSRF) vulnerability in Ivanti’s VPN products, including Connect Secure, Policy Secure, and Neurons for ZTA, has been subjected to widespread exploitation. This critical flaw, identified as CVE-2024-21893 (also known as CVE-2023-36661), has prompted significant attention from the cybersecurity community due to its severe implications and the rapid escalation of attacks following the public disclosure and release of a proof-of-concept (PoC) exploit.

Vulnerability Details

  • CVE ID: CVE-2024-21893 (alias CVE-2023-36661)
  • CVSS Score: 8.2
  • Affected Components: SAML component of Ivanti VPN products
  • Impact: Allows attackers to access restricted resources without authentication, leading to information disclosure and potential unauthorized actions within the affected system.

The SSRF vulnerability is linked to the open-source Shibboleth XMLTooling library, which was addressed in June 2023 with version 3.2.4. Despite the fix, Ivanti’s products remained vulnerable due to the inclusion of the flawed library.

Attack Scenario and Exploitation

Attackers are exploiting this vulnerability to establish reverse shells among other malicious activities, using an exploit chain that combines CVE-2024-21893 with CVE-2024-21887, a command injection flaw previously patched. This combination facilitates unauthenticated remote code execution, significantly raising the threat level.

The Shadowserver Foundation reported attacks originating from over 170 unique IP addresses, highlighting the mass exploitation of this vulnerability. Furthermore, outdated components within Ivanti VPN appliances, as identified by security researcher Will Dormann, could expose additional vulnerabilities, increasing the risk of compromise.

Response and Mitigation

Following the increase in attack activities, Ivanti has released official patches to address CVE-2024-21893 and associated vulnerabilities. The company had earlier provided mitigation files, but with attackers bypassing initial fixes, a more comprehensive patching strategy was required.

Threat Landscape and Impact

The exploitation of Ivanti VPN products has been linked to the deployment of custom web shells, such as BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE, by various threat actors. This situation underscores the attractiveness of such vulnerabilities to cybercriminals aiming to infiltrate corporate networks.

A significant number of Ivanti Connect Secure and Policy Secure instances have been found exposed worldwide, with a considerable portion confirmed as compromised. This widespread exposure and subsequent exploitation prompted cybersecurity entities across the European Union to issue heightened advisories. These advisories urge organizations to apply the provided patches and adhere to Ivanti’s guidance to mitigate risks effectively.

The mass exploitation of the SSRF vulnerability in Ivanti VPN products serves as a stark reminder of the critical importance of timely vulnerability management and the potential consequences of delayed patching. Organizations using affected Ivanti products must prioritize the application of available patches and review their security posture to prevent potential breaches. The incident highlights the continuous need for vigilance and proactive measures in the face of evolving cyber threats.

Stay safe and informed,

OP Innovate.

Under Cyber Attack?

Fill out the form and we will contact you immediately.

Under Cyber Attack?

Fill out the form and we will contact you immediately.