Skip links

Ivanti devices hit by wave of exploits for latest security hole

Various miscreants are attempting to exploit the latest Ivanti flaw, a server-side request forgery (SSRF) vulnerability tracked as CVE-2024-21893 that can be used to hijack equipment.

That’s according to threat hunters tracking the string of CVE-listed security holes plaguing the VPN gateways in recent weeks.

Ivanti on January 31 disclosed and began patching CVE-2024-21893, which is present in the SAML component of of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) appliances. The vendor spotted the flaw as it was investigating and scrambling to patch two other zero-day bugs in those products: an authentication bypass vulnerability (CVE-2023-46805), and a common injection flaw (CVE-2024-21887), both of which are also under attack.

Crooks latched onto CVE-2024-21893 because the vulnerability can be used to bypass mitigation efforts for those pair of earlier flaws and gain control of network gateways.

“At the time of publication, the exploitation of CVE-2024-21893 appears to be targeted,” Ivanti claimed last week, adding that it expected exploitation to ramp up sharply as word of the security hole spread.

“The SSRF can be chained to CVE-2024-21887 for unauthenticated command injection with root privileges,” Rapid7 principal security researcher Stephen Fewer added on February 2. 

The security shop also published a proof-of-concept (PoC) exploit for CVE-2024-21893 that same day.

And unsurprisingly, the infosec watchers at ShadowServer observed attempts to open backdoors on vulnerable equipment and other exploitation attempts by snoops. “To date, over 170 attacking IPs involved,” according to the org, which noted it did spot exploitation prior to the Rapid7 PoC.

There’s no word yet on who is behind the latest Ivanti exploitation, though the earlier flaws were used by Chinese nation-state attackers to install backdoors on at least 1,700 devices, it’s claimed.

When asked about the attacks this month, an Ivanti spokesperson directed The Register to its earlier security alert. As of February 1, the vendor had issued a patch addressing all known vulnerabilities for Ivanti Connect Secure version 22.5R2.2 and Ivanti Policy Secure 22.5R1.1.

According to ShadowServer, exploits targeting CVE-2024-21893 are quickly outpacing the other previously reported Ivanti CVEs, and it has since added the flaw to its exploitation dashboard.

Also last week, the US government’s Cybersecurity and Infrastructure Security Agency issued its second emergency directive about the flawed Ivanti systems, requiring federal agencies running Ivanti Connect Secure or Ivanti Policy Secure to disconnect these products from agency networks by February 2. ®

Source