Very High
CVE-2024-21887
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2024-21887
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityMedium
Technical Analysis
CVE-2024-21887 is a command injection vulnerability in the web component of Ivanti Connect Secure (ICS) and Ivanti Policy Secure. This vulnerability, rated with a high severity CVSS score of 9.1, allows an authenticated user to execute arbitrary commands.
Details of CVE-2024-21887:
- CVE-2024-21887 affects all supported versions of Ivanti ICS and Policy Secure 9.x and 22.x.
- This vulnerability was exploited in the wild along with CVE-2023-46805 in a chained attack for unauthenticated remote code execution (RCE) as early as December 3, 2023.
- The exploitation of these vulnerabilities was attributed to UTA0178, suspected to be a Chinese nation-state level threat actor.
- These vulnerabilities were used in attacks involving the deployment of a custom web shell, GLASSTOKEN, on both internet-facing and internal assets for persistent network access.
Attack Mechanisms:
- Attackers manipulated legitimate components of Ivanti Connect Secure, such as
compcheck.cgi
, to support the execution of remote commands and credential theft.
- The attacks were characterized by reconnaissance efforts, lateral movement, and deployment of GLASSTOKEN for persistent remote access.
Mitigation and Updates:
- As of the latest information, Ivanti has not released a patch for this vulnerability. However, they provided a mitigation script that should be used immediately.
- Ivanti announced that patches for this vulnerability would be released in a staggered schedule, starting from the week of January 22, 2024.
- Users and administrators of affected product versions are advised to apply the mitigation measures provided by Ivanti.
Detection of Compromise:
- Organizations can detect potential compromise through network traffic analysis, VPN device log analysis, and the execution of the Integrity Checker Tool.
- Monitoring for signs of compromise is recommended, including examining network traffic and VPN device logs.
Recommendation:
- Immediate application of current workarounds is crucial until patches are released.
- Continuous monitoring for signs of compromise is essential to ensure network security.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- ivanti
Products
- connect secure 22.1,
- connect secure 22.2,
- connect secure 22.3,
- connect secure 22.4,
- connect secure 22.5,
- connect secure 22.6,
- connect secure 9.0,
- connect secure 9.1,
- policy secure 22.1,
- policy secure 22.2,
- policy secure 22.3,
- policy secure 22.4,
- policy secure 22.5,
- policy secure 22.6,
- policy secure 9.0,
- policy secure 9.1
Metasploit Modules
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this report- Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- Other: CISA Gov Alert (https://www.cisa.gov/news-events/alerts/2024/01/10/cisa-adds-two-known-exploited-vulnerabilities-catalog)
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Exploit
A PoC added here by the AKB Worker must have at least 2 GitHub stars.
Related AttackerKB Topic
Miscellaneous
Additional Info
Technical Analysis
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: