Attacker Value
Very High
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
None
Privileges Required
High
Attack Vector
Network
5

CVE-2024-21887

Disclosure Date: January 12, 2024
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Add Assessment

1
Ratings
Technical Analysis

CVE-2024-21887 is a command injection vulnerability in the web component of Ivanti Connect Secure (ICS) and Ivanti Policy Secure. This vulnerability, rated with a high severity CVSS score of 9.1, allows an authenticated user to execute arbitrary commands.

Details of CVE-2024-21887:

  • CVE-2024-21887 affects all supported versions of Ivanti ICS and Policy Secure 9.x and 22.x.
  • This vulnerability was exploited in the wild along with CVE-2023-46805 in a chained attack for unauthenticated remote code execution (RCE) as early as December 3, 2023.
  • The exploitation of these vulnerabilities was attributed to UTA0178, suspected to be a Chinese nation-state level threat actor.
  • These vulnerabilities were used in attacks involving the deployment of a custom web shell, GLASSTOKEN, on both internet-facing and internal assets for persistent network access.

Attack Mechanisms:

  • Attackers manipulated legitimate components of Ivanti Connect Secure, such as compcheck.cgi, to support the execution of remote commands and credential theft.
  • The attacks were characterized by reconnaissance efforts, lateral movement, and deployment of GLASSTOKEN for persistent remote access.

Mitigation and Updates:

  • As of the latest information, Ivanti has not released a patch for this vulnerability. However, they provided a mitigation script that should be used immediately.
  • Ivanti announced that patches for this vulnerability would be released in a staggered schedule, starting from the week of January 22, 2024.
  • Users and administrators of affected product versions are advised to apply the mitigation measures provided by Ivanti.

Detection of Compromise:

  • Organizations can detect potential compromise through network traffic analysis, VPN device log analysis, and the execution of the Integrity Checker Tool.
  • Monitoring for signs of compromise is recommended, including examining network traffic and VPN device logs.

Recommendation:

  • Immediate application of current workarounds is crucial until patches are released.
  • Continuous monitoring for signs of compromise is essential to ensure network security.
CVSS V3 Severity and Metrics
Base Score:
9.1 Critical
Impact Score:
6
Exploitability Score:
2.3
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
High
User Interaction (UI):
None
Scope (S):
Changed
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • ivanti

Products

  • connect secure 22.1,
  • connect secure 22.2,
  • connect secure 22.3,
  • connect secure 22.4,
  • connect secure 22.5,
  • connect secure 22.6,
  • connect secure 9.0,
  • connect secure 9.1,
  • policy secure 22.1,
  • policy secure 22.2,
  • policy secure 22.3,
  • policy secure 22.4,
  • policy secure 22.5,
  • policy secure 22.6,
  • policy secure 9.0,
  • policy secure 9.1

Exploited in the Wild

Reported by:
Technical Analysis