Attackers target new Ivanti XXE vulnerability days after patch

Attackers target new Ivanti XXE vulnerability days after patch

Days after Ivanti announced patches for a new vulnerability in its Connect Secure and Policy Secure products, proof-of-concept exploit code has already been published for the flaw and security companies are reporting exploitation attempts in the wild. This follows a difficult month for Ivanti customers who had to deploy emergency mitigations and patches for three different zero-day vulnerabilities that were being exploited in the wild.

The new vulnerability, tracked as CVE-2024-22024, is an XML external entity injection (XXE) in the SAML component of specific versions of Ivanti Connect Secure, Ivanti Policy Secure, and ZTA gateways. It allows an attacker to access certain restricted resources without authentication and is rated with a severity score of 8.3 out of 10 (high) on the CVSS scale.

Ivanti credits researchers from security firm watchTowr for discovering and reporting the flaw, but also notes that it had already flagged that code as potentially insecure internally. The watchTowr researchers said in a report that they found the flaw while analyzing the patch for CVE-2024-21893, a server-side request forgery (SSRF) vulnerability in the SAML component that Ivanti disclosed on January 31 as a zero-day flaw that was being exploited in targeted attacks.

The CVE-2024-21893 SSRF flaw itself was discovered by Ivanti while investigating two other zero-day vulnerabilities that were announced on January 10 and were being exploited by a Chinese advanced persistent threat (APT) group. In response to these attacks, Ivanti first released an XML-based mitigation that could be applied to affected devices while the company worked on updated versions for all affected software releases.

Updates available for the new Ivanti vulnerabilities

The updates for the four known vulnerabilities — CVE-2023-46805 (authentication bypass), CVE-2024-21887 (command injection), CVE-2024-21888 (privilege escalation), and CVE-2024-21893 (SSRF in the SAML component) — were finally released on January 31 and February 1.

Updates for the new CVE-2024-22024 (XXE injection) flaw were released on February 8. Ivanti said these updates supersede the previously released ones and noted that customers who reset their devices to factory reset when applying the January 31 and February 1 patches don’t have to do it again now after applying the February 8 updates. The factory reset was required to clear out any potential implants and modifications made by attackers using the previous exploits.

“We strongly advise customers to run Ivanti’s previously released External Integrity Checker Tool in combination with best-practice security monitoring,” the company said in a blog post.

XXE injection vulnerabilities allow attackers to inject unsafe XML entities into web applications that process XML data. The watchTowr researchers note that the CVE-2024-22024 flaw was introduced by one of the patches for the previous vulnerabilities, which is why it only affected some recent versions of the products. According to Ivanti the impacted versions are: Connect Secure 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1, and 22.5R2.2; Ivanti Policy Secure 22.5R1.1; and ZTA 22.6R1.3.

Attempts to exploit Ivanti vulnerability found

Following watchTowr’s report and Ivanti’s advisory, proof-of-concept exploit code was developed and released online over the weekend. Since then, several services and companies that run honeypots and monitor malicious internet traffic reported scans for the vulnerability and attempts to exploit it. “We started seeing exploitation attempts to ‘/dana-na/auth/saml-sso.cgi’ February 9, around 8 UTC, shortly after PoC publication,” the Shadowserver Foundation said on X Monday. “These are primarily callback tests. 47 IPs seen to date.”

Meanwhile, security firm Akamai reported seeing scanning and payload attempts for this flaw from over 80 IP addresses targeting more than 30,000 hosts.

The US Cybersecurity and Infrastructure Security Agency (CISA) issued an updated directive last week to all federal agencies to disconnect impacted Ivanti products from their networks by end of Friday, February 2, and perform additional forensic analysis and clean-up steps in case they’ve already been compromised. The agency issued a supplemental directive on Friday for all agencies to apply the new Ivanti patches for CVE-2024-22024 by Monday, February 12.

Vulnerabilities, Zero-day vulnerability

Go to Source