CVE-2024-21887

A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Recent assessments:

cbeek-r7 at January 11, 2024 10:49am UTC reported:

CVE-2024-21887 is a command injection vulnerability in the web component of Ivanti Connect Secure (ICS) and Ivanti Policy Secure. This vulnerability, rated with a high severity CVSS score of 9.1, allows an authenticated user to execute arbitrary commands.

Details of CVE-2024-21887:

• CVE-2024-21887 affects all supported versions of Ivanti ICS and Policy Secure 9.x and 22.x.

• This vulnerability was exploited in the wild along with CVE-2023-46805 in a chained attack for unauthenticated remote code execution (RCE) as early as December 3, 2023.

• The exploitation of these vulnerabilities was attributed to UTA0178, suspected to be a Chinese nation-state level threat actor.

• These vulnerabilities were used in attacks involving the deployment of a custom web shell, GLASSTOKEN, on both internet-facing and internal assets for persistent network access.

Attack Mechanisms:

• Attackers manipulated legitimate components of Ivanti Connect Secure, such as compcheck.cgi, to support the execution of remote commands and credential theft.

• The attacks were characterized by reconnaissance efforts, lateral movement, and deployment of GLASSTOKEN for persistent remote access.

Mitigation and Updates:

• As of the latest information, Ivanti has not released a patch for this vulnerability. However, they provided a mitigation script that should be used immediately.

• Ivanti announced that patches for this vulnerability would be released in a staggered schedule, starting from the week of January 22, 2024.

• Users and administrators of affected product versions are advised to apply the mitigation measures provided by Ivanti.

Detection of Compromise:

• Organizations can detect potential compromise through network traffic analysis, VPN device log analysis, and the execution of the Integrity Checker Tool.

• Monitoring for signs of compromise is recommended, including examining network traffic and VPN device logs.

Recommendation:

• Immediate application of current workarounds is crucial until patches are released.

• Continuous monitoring for signs of compromise is essential to ensure network security.

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 3