Chinese hackers exploit Ivanti VPN zero days for RCE attacks

Two critically severe zero-day vulnerabilities in devices running Ivanti VPN services are being actively exploited by Chinese nation-state actors for unauthenticated remote code execution, according to Volexity research.

Tracked as CVE-2023-46805 and CVE-2024-21887, the vulnerabilities, with CVSS scores 8.2 and 9.1 respectively, have been discovered in Ivanti Connect Secure (formerly known as Pulse Connect Secure), a remote access VPN solution for remote and mobile users needing access to corporate resources.

“Upon learning of the vulnerability, we immediately mobilized resources and mitigation is available now,” Ivanti said in a security advisory. “We are providing mitigation now while the patch is in development to prioritize the best interest of our customers.”

Vulnerabilities Chained together for unauthenticated RCE

The zero-day was identified by the researchers during the second week of December as they detected suspicious lateral movement on the network of one of Volexity’s Network Security Monitoring service customers. Eventually, the malicious activities were tracked back to the organization’s Internet-facing Ivanti Connect Secure (ICS) VPN appliance.

The researchers discovered that the vulnerabilities have been chained together to effect complete unauthenticated remote code execution. Individually, CVE-2023-46805 is an authentication-bypass vulnerability, while CVE-2024-21887 is a command injection vulnerability.

“When combined, these two vulnerabilities make it trivial for attackers to run commands on the system,” Volexity said in a blog post. “In this particular incident, the attacker leveraged these exploits to steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance.”

The vulnerabilities also affect Ivanti Policy Secure devices, a per individual subscription of Ivanti Secure Connect. All the supported versions (9.x to 22.x) of Ivanti VPN services are affected according to the company.

Ivanti releases Pre-patch mitigations

While Ivanti is working on a complete patch for the vulnerable services, it has rolled out a few mitigation steps through the advisories along with a few useful FAQs.

Primarily, Ivanti has released an XML file that can be downloaded by customers through Ivanti’s download portal. The file essentially degrades a few crucial features on its VPN services to limit abuse by the threat actor after they have gained access. The XML file caters to both Ivanti Connect Secure and Ivanti Policy Secure devices.

Ivanti has recommended customers run the external integrity checker tool (ICT), a snapshot of the current state of the appliance. It has, however, cautioned that ICT cannot necessarily detect threat actor activity if they have returned the appliance to a clean state.

“We have seen evidence of threat actors attempting to manipulate Ivanti’s internal integrity checker (ICT),” Ivanti said. “We have added new functionality to the external ICT that will be incorporated into the internal ICT in the future. We regularly provide updates to the external and internal ICT, so customers should always ensure they are running the latest version of each. The patches are scheduled to be released as two successive versions: first in the week of 22 January, and second in the week of 19 February, according to the advisory.

Zero-day vulnerability

Go to Source