CVE-2024-21887

Description

A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

From the Tenable Blog

CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893: Frequently Asked Questions for Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways

Published: 2024-01-31

Frequently asked questions for five CVEs affecting Ivanti Connect Secure and Policy Secure Gateways, with three of the vulnerabilities having been exploited in the wild as zero-days.

CVE-2023-46805, CVE-2024-21887: Zero-Day Vulnerabilities Exploited in Ivanti Connect Secure and Policy Secure Gateways

Published: 2024-01-11

Two zero-day vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure have been exploited in the wild, with at least one attack attributed to nation-state actors.

References

https://www.theregister.com/2024/11/27/salt_typhoons_us_telcos/

https://www.darkreading.com/application-security/salt-typhoon-malware-arsenal-ghostspider

https://thehackernews.com/2024/11/chinese-hackers-use-ghostspider-malware.html

https://www.trendmicro.com/en_us/research/24/k/earth-estries.html

https://www.bleepingcomputer.com/news/security/salt-typhoon-hackers-backdoor-telcos-with-new-ghostspider-malware/

https://www.bleepingcomputer.com/news/security/cisco-bug-lets-hackers-run-commands-as-root-on-uwrb-access-points/

https://isc.sans.edu/diary/rss/31384

https://www.bleepingcomputer.com/news/security/flax-typhoon-hackers-infect-260-000-routers-ip-cameras-with-botnet-malware/

https://blog.lumen.com/derailing-the-raptor-train/

https://www.tenable.com/blog/aa24-241a-joint-cybersecurity-advisory-on-iran-based-cyber-actors-targeting-us-organizations

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a

https://securelist.com/vulnerability-exploit-report-q2-2024/113455/

https://www.tenable.com/blog/cve-2024-7593-ivanti-virtual-traffic-manager-authentication-bypass-vulnerability

https://blog.talosintelligence.com/common-ransomware-actor-ttps-playbooks/

https://www.akamai.com/blog/security-research/2024-redtail-cryptominer-pan-os-cve-exploit

https://thehackernews.com/2024/05/mirai-botnet-exploits-ivanti-connect.html

https://securityaffairs.com/162811/hacking/mitre-security-breach-china.html

https://securelist.com/vulnerability-report-q1-2024/112554/

https://blogs.juniper.net/en-us/security/protecting-your-network-from-opportunistic-ivanti-pulse-secure-vulnerability-exploitation

https://services.google.com/fh/files/misc/m-trends-2024.pdf

https://www.mitre.org/news-insights/news-release/mitre-response-cyber-attack-one-its-rd-networks

https://unit42.paloaltonetworks.com/malware-initiated-scanning-attacks/

https://www.bleepingcomputer.com/news/security/new-ivanti-rce-flaw-may-impact-16-000-exposed-vpn-gateways/

https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement

https://www.bleepingcomputer.com/news/security/magnet-goblin-hackers-use-1-day-flaws-to-drop-custom-linux-malware/

https://research.checkpoint.com/2024/magnet-goblin-targets-publicly-facing-servers-using-1-day-vulnerabilities/

https://www.darkreading.com/vulnerabilities-threats/volt-typhoon-hits-multiple-electric-cos-expands-cyber-activity

https://hub.dragos.com/hubfs/116-Datasheets/Dragos_IntelBrief_VOLTZITE_FINAL.pdf

https://www.bleepingcomputer.com/news/security/newest-ivanti-ssrf-zero-day-now-under-mass-exploitation/

https://www.tenable.com/blog/cve-2023-46805-cve-2024-21887-cve-2024-21888-and-cve-2024-21893-frequently-asked-questions

https://www.infosecurity-magazine.com/news/rust-payloads-ivanti-zero-days/

https://www.cisa.gov/news-events/directives/ed-24-01-mitigate-ivanti-connect-secure-and-ivanti-policy-secure-vulnerabilities

https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploitation-new-observations/

https://meterpreter.org/mandiant-uncovers-unc5221-stealthy-hackers-bypass-vpn-defenses-with-malware-arsenal/

https://www.bleepingcomputer.com/news/security/ivanti-connect-secure-zero-days-now-under-mass-exploitation/

https://www.tenable.com/blog/cve-2023-46805-cve-2024-21887-zero-day-vulnerabilities-exploited-in-ivanti-connect-secure-and

https://www.bleepingcomputer.com/news/security/ivanti-warns-of-connect-secure-zero-days-exploited-in-attacks/

https://infosec.exchange/@[email protected]/111732557655576182

https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

http://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.html

Details

Source: Mitre, NVD

Risk Information

CVSS v2

CVSS v3

CVSS v4