A not too long ago disclosed server-side request forgery (SSRF) vulnerability impacting Ivanti Link Safe and Coverage Protected items has occur below mass exploitation.
The Shadowserver Basis reported it observed exploitation tries originating from much more than 170 special IP addresses that goal to establish a reverse shell, amongst other individuals.
The attacks exploit CVE-2024-21893 (CVSS score: 8.2), an SSRF flaw in the SAML component of Ivanti Link Protected, Policy Protected, and Neurons for ZTA that allows an attacker to access in any other case restricted means without the need of authentication.
Ivanti experienced previously divulged that the vulnerability experienced been exploited in targeted attacks aimed at a “limited amount of prospects,” but cautioned the standing quo could improve put up public disclosure.
That is exactly what appears to have took place, specifically adhering to the launch of a proof-of-strategy (PoC) exploit by cybersecurity firm Rapid7 previous week.
The PoC will involve fashioning an exploit chain that combines CVE-2024-21893 with CVE-2024-21887, a previously patched command injection flaw, to realize unauthenticated distant code execution.
It can be really worth noting listed here that CVE-2024-21893 is an alias for CVE-2023-36661 (CVSS rating: 7.5), an SSRF vulnerability current in the open up-resource Shibboleth XMLTooling library. It was preset by the maintainers in June 2023 with the release of variation 3.2.4.
Security researcher Will Dormann more pointed out other out-of-date open up-supply elements used by Ivanti VPN appliances, these kinds of as curl 7.19.7, openssl 1..2n-fips, perl 5.6.1, psql 9.6.14, cabextract .5, ssh 5.3p1, and unzip 6.00, as a result opening the door for a lot more attacks.
The development comes as menace actors have discovered a way to bypass Ivanti’s initial mitigation, prompting the Utah-centered company to release a next mitigation file. As of February 1, 2024, it has started releasing official patches to deal with all the vulnerabilities.
Past 7 days, Google-owned Mandiant exposed that quite a few danger actors are leveraging CVE-2023-46805 and CVE-2024-21887 to deploy an array of custom web shells tracked as BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE.
Palo Alto Networks Unit 42 said it noticed 28,474 uncovered circumstances of Ivanti Join Safe and Policy Secure in 145 international locations between January 26 and 30, 2024, with 610 compromised situations detected in 44 countries as of January 23, 2024.
Discovered this report intriguing? Observe us on Twitter and LinkedIn to examine much more exclusive material we article.
Some areas of this post are sourced from: