Attacker Value
Very High
CVE-2024-21887
CVE-2024-21887
(Last updated January 13, 2024) ▾
MITRE ATT&CK
Log in to add MITRE ATT&CK tag
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Metasploit Module
Description
A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
Add Assessment
1
Technical Analysis
CVE-2024-21887 is a command injection vulnerability in the web component of Ivanti Connect Secure (ICS) and Ivanti Policy Secure. This vulnerability, rated with a high severity CVSS score of 9.1, allows an authenticated user to execute arbitrary commands.
Details of CVE-2024-21887:
- CVE-2024-21887 affects all supported versions of Ivanti ICS and Policy Secure 9.x and 22.x.
- This vulnerability was exploited in the wild along with CVE-2023-46805 in a chained attack for unauthenticated remote code execution (RCE) as early as December 3, 2023.
- The exploitation of these vulnerabilities was attributed to UTA0178, suspected to be a Chinese nation-state level threat actor.
- These vulnerabilities were used in attacks involving the deployment of a custom web shell, GLASSTOKEN, on both internet-facing and internal assets for persistent network access.
Attack Mechanisms:
- Attackers manipulated legitimate components of Ivanti Connect Secure, such as
compcheck.cgi, to support the execution of remote commands and credential theft.
- The attacks were characterized by reconnaissance efforts, lateral movement, and deployment of GLASSTOKEN for persistent remote access.
Mitigation and Updates:
- As of the latest information, Ivanti has not released a patch for this vulnerability. However, they provided a mitigation script that should be used immediately.
- Ivanti announced that patches for this vulnerability would be released in a staggered schedule, starting from the week of January 22, 2024.
- Users and administrators of affected product versions are advised to apply the mitigation measures provided by Ivanti.
Detection of Compromise:
- Organizations can detect potential compromise through network traffic analysis, VPN device log analysis, and the execution of the Integrity Checker Tool.
- Monitoring for signs of compromise is recommended, including examining network traffic and VPN device logs.
Recommendation:
- Immediate application of current workarounds is crucial until patches are released.
- Continuous monitoring for signs of compromise is essential to ensure network security.
CVSS V3 Severity and Metrics
Data provided by the National Vulnerability Database (NVD)
Base Score:
9.1 Critical
Impact Score:
6
Exploitability Score:
2.3
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
High
User Interaction (UI):
None
Scope (S):
Changed
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High
General Information
Vendors
- ivanti
Products
- connect secure 22.1,
- connect secure 22.2,
- connect secure 22.3,
- connect secure 22.4,
- connect secure 22.5,
- connect secure 22.6,
- connect secure 9.0,
- connect secure 9.1,
- policy secure 22.1,
- policy secure 22.2,
- policy secure 22.3,
- policy secure 22.4,
- policy secure 22.5,
- policy secure 22.6,
- policy secure 9.0,
- policy secure 9.1
Metasploit Modules
Exploited in the Wild
References
Exploit
The following exploit POCs have not been verified by Rapid7 researchers, but are sourced from:
nomi-sec/PoC-in-GitHub.
Additional sources will be added here as they become relevant.
Notes: We will only add the top 3 POCs for a given CVE. POCs added here must have at least 2 GitHub stars.
Additional sources will be added here as they become relevant.
Notes: We will only add the top 3 POCs for a given CVE. POCs added here must have at least 2 GitHub stars.
Related AttackerKB Topic
Miscellaneous
