Skip links

More mass exploits hit the same buggy Ivanti devices

All manner of miscreants are piling onto the latest Ivanti flaw, a server-side request forgery (SSRF) vulnerability tracked as CVE-2024-21893, according to threat hunters tracking the string of CVEs that have been plaguing the software shop’s gateways over recent weeks.

Ivanti first disclosed the newest bug in the SAML component of of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x)  appliances on January 31. The vendor spotted the flaw as it was investigating and scrambling to patch, two other zero-day bugs; an authentication bypass vulnerability (CVE-2023-46805) and a common injection flaw (CVE-2024-21887), that were also under attack.

“At the time of publication, the exploitation of CVE-2024-21893 appears to be targeted. Ivanti expects the threat actor to change their behavior and we expect a sharp increase in exploitation once this information is public — similar to what we observed on 11 January following the 10 January disclosure,” Ivanti warned last week.

It turned out that CVE-2024-21893 could be abused to bypass the mitigation for earlier flaws.

“The SSRF can be chained to CVE-2024-21887 for unauthenticated command injection with root privileges,” Rapid7 principal security researcher Stephen Fewer Xeeted on February 2. 

The security shop also published a proof-of-concept (PoC) exploit for CVE-2024-21893 that same day.

And unsurprisingly, ShadowServer reported reverse shell attempts and other exploits soon after. “To date, over 170 attacking IPs involved,” according to the UK government security org, which noted that it did spot exploitation prior to the Rapid7 PoC.

There’s now word yet on who is behind the newest Ivanti exploits, but the earlier flaws were used by Chinese nation-state attackers to install backdoors on at least 1,700 devices,it’s claimed.

When asked about February attacks, an Ivanti spokesperson directed The Register to its earlier security alert. As of February 1, the vendor had issued a patch addressing all known vulnerabilities for Ivanti Connect Secure version 22.5R2.2 and Ivanti Policy Secure 22.5R1.1.

According to ShadowServer, exploits targeting CVE-2024-21893 are quickly outpacing the other previously reported Ivanti CVEs, and it has since added the flaw to its exploitation dashboard.

Also last week, the US Cybersecurity and Infrastructure Security agency issued its second emergency directive about the flawed Ivanti systems, requiring federal agencies running Ivanti Connect Secure or Ivanti Policy Secure to disconnect these products from agency networks by February 2. ®

Source