9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
9.7 High
AI Score
Confidence
High
0.969 High
EPSS
Percentile
99.7%
The Ivanti Policy Secure installed on the remote host is 9.x or 22.x. It is, therefore, affected by multiple vulnerabilities:
An authentication bypass vulnerability in the web component of Ivanti Policy Secure (9.x, 22.x) and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks. (CVE-2023-46805)
A command injection vulnerability in web components of Ivanti Policy Secure (9.x, 22.x) and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. This vulnerability can be exploited over the internet. (CVE-2024-21887)
A privilege escalation vulnerability in web component of Ivanti Policy Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator. (CVE-2024-21888)
Note that Nessus has not tested for this issue but has instead relied only on the applicationβs self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (c) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(190367);
script_version("1.5");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/12");
script_cve_id(
"CVE-2023-46805",
"CVE-2024-21887",
"CVE-2024-21888",
"CVE-2024-21893",
"CVE-2024-22024"
);
script_xref(name:"CEA-ID", value:"CEA-2024-0003");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2024/01/31");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2024/02/02");
script_xref(name:"IAVA", value:"2024-A-0080");
script_name(english:"Ivanti Policy Secure 9.x / 22.x Multiple Vulnerabilities");
script_set_attribute(attribute:"synopsis", value:
"A NAC solution installed on the remote host is affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The Ivanti Policy Secure installed on the remote host is 9.x or 22.x. It is, therefore, affected by
multiple vulnerabilities:
- An authentication bypass vulnerability in the web component of Ivanti Policy Secure (9.x, 22.x) and Ivanti Policy
Secure allows a remote attacker to access restricted resources by bypassing control checks. (CVE-2023-46805)
- A command injection vulnerability in web components of Ivanti Policy Secure (9.x, 22.x) and Ivanti Policy Secure
allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the
appliance. This vulnerability can be exploited over the internet. (CVE-2024-21887)
- A privilege escalation vulnerability in web component of Ivanti Policy Secure (9.x, 22.x) and Ivanti Policy Secure
(9.x, 22.x) allows a user to elevate privileges to that of an administrator. (CVE-2024-21888)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
# https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?11330e19");
# https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?dec942ff");
script_set_attribute(attribute:"solution", value:
"See vendor advisory.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-21888");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2024-21887");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Ivanti Connect Secure Unauthenticated Remote Code Execution');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2024/01/10");
script_set_attribute(attribute:"patch_publication_date", value:"2024/01/10");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/02/09");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:pulsesecure:pulse_policy_secure");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("pulse_policy_secure_detect.nbin");
script_require_keys("installed_sw/Pulse Policy Secure");
exit(0);
}
include('vcf.inc');
include('http.inc');
var port = get_http_port(default:443);
var app_info = vcf::get_app_info(app:'Pulse Policy Secure', port:port);
var constraints = [
{'min_version':'9.1.14', 'max_version':'9.1.14.7589', 'fixed_display':'See vendor advisory'}, # 9.1R14.2
{'min_version':'9.1.15', 'max_version':'9.1.15.7703', 'fixed_display':'See vendor advisory'}, # 9.1R15.1
{'min_version':'9.1.16', 'max_version':'9.1.16.8131', 'fixed_display':'See vendor advisory'}, # 9.1R16.1
{'min_version':'9.1.17', 'fixed_version':'9.1.17.10079'}, # 9.1R17.3
{'min_version':'9.1.18', 'fixed_version':'9.1.18.10077'}, # 9.1R18.4
{'min_version':'22.1.1', 'max_version':'22.1.1.211', 'fixed_display':'See vendor advisory'}, # 22.1R1.1
{'min_version':'22.1.6', 'max_version':'22.1.6.281', 'fixed_display':'See vendor advisory'}, # 22.1R6.1
{'min_version':'22.2.3', 'max_version':'22.2.3.993', 'fixed_display':'See vendor advisory'}, # 22.2R3.1
{'min_version':'22.3.1', 'max_version':'22.3.1.469', 'fixed_display':'See vendor advisory'}, # 22.3R1.1
{'min_version':'22.4.1', 'max_version':'22.4.1.373', 'fixed_display':'See vendor advisory'}, # 22.4R1.1
{'min_version':'22.5.1', 'fixed_version':'22.5.1.621'}, # 22.5R1.2
{'min_version':'22.6.1', 'max_version':'22.6.1.595', 'fixed_display':'See vendor advisory'}, # 22.6R1.1
];
vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
Vendor | Product | Version | CPE |
---|---|---|---|
pulsesecure | pulse_policy_secure | cpe:/a:pulsesecure:pulse_policy_secure |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46805
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21887
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21888
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21893
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22024
www.nessus.org/u?11330e19
www.nessus.org/u?dec942ff
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
9.7 High
AI Score
Confidence
High
0.969 High
EPSS
Percentile
99.7%