Ivanti SSRF Vulnerability Exploited

Ivanti, a renowned corporate VPN appliance provider, has issued a warning regarding a new zero-day vulnerability under active exploitation. This announcement comes in the wake of two previously disclosed vulnerabilities, CVE-2023-46805 and CVE-2024-21887. These two have already been targeted by Chinese state-backed hackers since early December 2023. The latest vulnerability, identified as CVE-2024-21893, is a server-side issue allowing unauthorized access to restricted resources, and it looks like adversaries take advantage of it as well.

Shadowserver reported over 22,000 instances of Connect Secure and Policy Secure. To authenticate an Ivanti VPN, the doAuthCheck function in an HTTP web server binary located at /root/home/bin/web is used. It is important to note that the endpoint /dana-ws/saml20.ws does not require authentication.

The flow CVE-2024-21893 involves server-side request forgery in the SAML component of Ivanti’s products, compromising authentication protocols. These vulnerabilities affect Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA, with an estimated 1,700 devices already compromised worldwide, spanning various industries including aerospace, banking, defense, government, and telecommunications​​.

Impact of Ivanti VPN SSRF Vulnerability

VPN devices are highly attractive to cyber attackers who aim to penetrate deeply into organizational networks. These devices facilitate secure remote access for employees by encrypting their connections to company resources. Positioned at the network’s periphery, they handle incoming connections from any external device with the right settings. Once a hacker gains initial access through a VPN, they can maneuver to access more critical and sensitive areas within the network infrastructure.

The situation was exacerbated by Ivanti’s delayed response in patching the vulnerabilities, missing their own set deadline by a week. This delay left organizations vulnerable for a longer period, challenging security professionals to mitigate the risks amid the ongoing attacks. Furthermore, the attackers’ ability to bypass Ivanti’s initially provided mitigations for the first two vulnerabilities added to the difficulties faced by security teams.

CISA Calls to Disable Ivanti VPN

CISA issued Emergency Directive 24-01, requiring Federal Civilian Executive Branch agencies to take immediate action to this zero-day vulnerability. These measures include implementing mitigations, reporting any signs of compromise, removing affected products from networks, applying Ivanti’s updates within 48 hours of release, and providing a detailed report of actions taken to CISA.

Additionally, CISA’s guidance includes performing a factory reset and rebuilding of the Ivanti appliances before bringing them back online, underscoring the need for a clean slate to ensure the devices are free from compromise.

All this looks like an ideal storm around Ivanti. It will be rather challenging to clean up the reputation of their software solution after all this mess. Vulnerabilities happen in any software, though this much of them in one software solution, in a short period of time, and lacking proper response from the vendor – that’s a proper nightmare.

The post Third Ivanti VPN Vulnerability Under Massive Exploitation appeared first on Gridinsoft Blog.

Ivanti Connect Secure Zero-Day Exploited

Ivanti, a prominent software company, recently issued a critical alert concerning its Connect Secure VPN appliances. These devices are susceptible to zero-day vulnerabilities currently being exploited in sophisticated cyberattacks. Experts attribute these attacks to suspected Chinese state-backed hackers.

Ivanti has confirmed that the vulnerabilities in question allow attackers to gain unauthorized access and execute arbitrary code on affected devices. Considering the widespread use of Ivanti Connect Secure appliances in various business environments and providing secure remote access to corporate networks, it is of heightened concern.

Details of the ICS 0-Day Vulnerability

The exploited vulnerabilities are CVE-2023-46805 (CVSS 8.2) and CVE-2024-21887 (CVSS 9.1). The vulnerabilities can be fashioned into an exploit chain to take over susceptible instances over the Internet. These flaws may lead to severe consequences, including remote code execution (RCE) and unauthorized access to sensitive data. That, actually, explains the reason for 8+ score – the best things come in two.

The first vulnerability concerns authentication bypass in the web component, which allows remote attackers to access restricted resources without proper control checks. The second vulnerability is related to command injection in the web components, which allows authenticated administrators to execute arbitrary commands on the appliance by sending specially crafted requests.

Patches Not Yet Available

Although it has identified fewer than ten customers that have been affected, Ivanti has advised all of its customers to run the external Integrity Checker Tool (ICT) as a precautionary measure. The company has also added new functionality to the external ICT, which will be incorporated into the internal ICT. Customers should ensure they have both tools’ latest versions.

As for patch fixes, Ivanti plans to release patches for these vulnerabilities during the week of January 22. However, they will be rolled out in a staggered schedule according to the product version. In the meantime, the company has released a series of mitigation steps that customers should follow immediately to safeguard their systems. It is highly recommended that organizations follow these mitigation steps, as the situation is still evolving.

How to Protect against 0-day vulnerabilities?

Since a zero-day vulnerability is a vulnerability that attackers learned about before software developers did, there is no guaranteed solution. However, some measures significantly reduce the risks, and I will list them below:

• Use corporate-grade protection solutions like EDR/XDR. This innovative anti-malware software approach focuses on endpoint protection rather than individual devices. EDR and XDR solutions collect a vast amount of data about endpoint activity, including file operations, network traffic, and user behavior. It employs machine learning and AI to detect and respond to threats. By analyzing this data, they can identify anomalous patterns indicating a zero-day attack.
• Apply Zero Trust. Zero trust is a cybersecurity model that grants access on a least privilege basis and continuously verifies users and devices. As a result, this reduces the attack surface and makes it more difficult to exploit vulnerabilities.
• Perform regular pentesting. Penetration testing is a simulated real attack on an organization’s IT infrastructure to identify and assess vulnerabilities that attackers could exploit. So, this action can help organizations identify zero-day vulnerabilities that other security tools may not detect.

The post Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild appeared first on Gridinsoft Blog.

Ivanti EPMM Vulnerabilities Keep Going

On July 25, 2023 Ivanti released a note regarding the vulnerability in their EPMM device management software. They offered to install a patch to secure the software vulnerability (dubbed CVE-2023-35078) that allowed hackers to bypass authentication and access all the functionality of the app. Obviously, it received a top 10/10 CVSS rating. Bad news here is that the vulnerability was reportedly exploited since April 2023. The patch offered by the company allegedly closes the unauthorised access capabilities.

Soon after, another security loophole was discovered. CVE-2023-35081 is a path traversal vulnerability that allows for unauthorised access to the files stored on the server. Unfortunately, the scale of this breach exploitation is around the same as the previous one – hackers used them along to fulfil different targets within one attack.

Thing is, not everything is ideal for the patched 2023-35078 vulnerability. Researchers found a way to do pretty much the same trick to the patched version as hackers did earlier. The new breach is possible for older versions of the EPMM – 11.2 and below – and received an index of CVE-2023-35082. Even after the patch, applications were not able to provide a sustainable security level. Fortunately, no cases of exploitation of this vulnerability have been discovered yet. But as we know, once 0-day vulnerability becomes an n-day one, its usage becomes much more widespread.

How to protect against CVE-2023-35082?

The only – and the most effective advice there is updating Ivanti EPMM to any of the versions newer than 11.2. It may be troublesome to perform such an update simultaneously in a huge network of devices, though efforts there are much more preferable than efforts on fixing the outcome of a cyberattack. Though, there could be several other solutions – not preventive, but still effective.

Adopt cybersecurity solutions with zero-trust policy. The baddest modern cyberattacks are done through vulnerabilities in trusted software, the only solution is to not trust at all. EDR/XDR solutions that are built around such a conception have their downsides, apparently, but the effectiveness of their protection is undoubted. Either it is a hand-made utility or a program with over 1 million users – it will thoroughly check all the actions it does.

Use UBA and SIEM to improve visibility and response in the environment. The aforementioned zero-trust security systems will greatly appreciate additional sources of information. This is almost essential in large networks that consist of different types of devices. Being aware and being able to respond as quickly as possible is vital in modern cybersecurity, when the count can go on for minutes.

The post Ivanti EPMM Vulnerability Patch is Vulnerable appeared first on Gridinsoft Blog.

Analysts found new vulnerability in Ivanti EPMM

Currently, two vulnerabilities are being actively exploited by malicious cyber actors. It is making them a common attack vector that poses significant risks to the federal enterprise. EPMM users are strongly advised to apply the available patches as soon as possible to protect themselves. Last week, it was disclosed that one of the vulnerabilities, known as CVE-2023-35078 and with a maximum-possible CVSS v3 rating of 10, was used in an attack against twelve ministries in the Norwegian government.

Many IT departments worldwide, including several U.S. government agencies, use Ivanti’s EPMM software to manage mobile devices, apps, and content. However, a newly discovered bug (CVE-2023-35081) has been identified. This vulnerability is a path traversal flaw with a CVSS v3 rating of 7.2. It permits an attacker to write any files onto the appliance.

The company expressed gratitude towards cybersecurity firm Mnemonic for helping them identify a new vulnerability. Mnemonic warned in a blog post that remote file writing vulnerabilities can seriously compromise system security. Also, it is leading to various types of attacks, such as data breaches and system takeovers. Researchers from Mnemonic reported that the new EPMM vulnerability was exploited with CVE-2023-35078 to write Java server pages and Java .class files to disk.

Report from CISA

On Friday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert urging security teams to patch vulnerabilities recently reported by Ivanti. CISA specified that both CVE-2023-35081 and CVE-2023-35078 were being actively exploited. The patches newly released for CVE-2023-35081 also include patches for CVE-2023-35078.

CISA explained that if CVE-2023-35078 remains unpatched, attackers can gain EPMM administrator privileges, enabling them to write arbitrary files with the operating system privileges of the web application server. The agency warned that the attacker could execute the uploaded file, such as a web shell.

Last week, CISA added CVE-2023-35078 to its Known Exploited Vulnerabilities catalog and ordered all Federal Civilian Executive Branch government agencies to fix the issue by August 15. However, the agency has yet to take similar steps in regard to CVE-2023-35081.

How to avoid significant cyberattack?

Organizations that could potentially fall victim to cyberattacks should prioritize their defense. If a significant cyber attack does occur, it is recommended that the organization reset its cyber security approach and posture. After such an incident, every organization should reflect on its actions and decisions. This should serve as a lesson for not only government services but also companies.

• It’s crucial to implement strict access controls like strong passwords, multi-factor authentication (MFA), and role-based access control to prevent unauthorized access to sensitive data and systems.
• Keep your operating systems, software, and applications updated with the most delinquent security patches and updates to fix known vulnerabilities. Make sure to update these systems for optimal security regularly.
• One crucial responsibility for organizations is to adopt the Zero Trust principles, which can significantly enhance security measures by following the ‘trust-none, verify all’. Every user, device, and connection must be authenticated before access to your business network and its essential assets and sensitive data.
• It’s essential to stay up-to-date on the latest vulnerabilities and learn safe online practices to protect yourself and your team. Always be careful when sharing sensitive information online or with people you don’t know.

The post The Second Exploit in Ivanti EPMM in a Week appeared first on Gridinsoft Blog.

What is Ivanti Company?

Ivanti is an IT software company headquartered in Utah, United States. It produces a variety of IT management and security solutions. Many organizations use the company’s products, including businesses, government agencies, and educational institutions. For example, almost all Norwegian ministries use Ivanti Endpoint Manager Mobile except a couple of ones. Having such important clients is always a huge responsibility, and unfortunately not everyone is capable of mitigating all the risks.

Ivanti EPMM 0-day Vulnerability

ACSC has received reports of a vulnerability in Ivanti EPMM (Endpoint manager mobile), also known as MobileIron Core, affecting all versions below 11.8.1.0. In brief, the vulnerability is CVE-2023-35078 and allows remote access to the API without authentication. It has the maximum severity rating of the CVSS scale and is a 10 out of 10 possible. While Ivanti said it received the information from a reliable source, the company did not disclose any further details about the nature of the attacks or the attacker’s identity behind them. Nevertheless, the Norwegian National Security Authority (NSM) confirmed that unknown attackers exploited the vulnerability to attack the State Organization for Security and Services (DSS). Thus, attackers could likely access and steal sensitive data from the compromised platform.

However, on Sunday, the company released a security patch that users can install by upgrading to EPMM 11.8.1.1, 11.9.1.1.1, and 11.10.0.2. However, versions below 11.8.1.0 that are outdated and unsupported have also received the update.

CVE-2023-35078 Details

CVE-2023-35078 is a zero-day authentication bypass vulnerability. It provides remote API access without authentication to specific paths. That is, an attacker can access personally identifiable information such as usernames, phone numbers, and other mobile device information on the vulnerable system. An attacker can also make configuration changes, including creating an EPMM administrator account for additional changes to the vulnerable system. The vulnerability affects all supported versions of EPMM (v11.10, 11.9, and 11.8) and earlier unsupported releases. However, the vulnerability is patched in versions 11.10.0.2, 11.9.1.1, and 11.8.1.1.1. Since CVE-2023-35078 has a maximum CVSS severity level of 10.0 and is easily exploitable, experts strongly recommend updating all devices, even EOL devices. Otherwise, if you cannot update the appliance, it is recommended to switch off.

In addition, Ivanti has published a password-protected security advisory. However, only customers with login credentials can access it, which is perplexing. The company also clarified that the vulnerability is not used in a supply chain attack. IoT search engine Shodan found more than 2,900 MobileIron user portals are publicly available on the Internet, mainly in the US and Europe. About 30 of them are associated with local and state governments in the United States. The most vulnerable servers are in the US, Germany, the UK, and Hong Kong. The Norwegian National Cyber Security Center has notified all known system owners in the country that have MobileIron Core available on the Internet of a security update that has been issued.

How to secure against Ivanti 0-day vulnerability?

Well, the Norwegian government is not the only client of Ivanti. Companies from different corners of the world use their software, and appear to have a soft spot at the place no one expected. Here are some steps you can take to secure against the Ivanti 0-day vulnerability.

• Apply the latest security patches. It’s the first action you must take since Ivanti has released a patch to address the vulnerability. So, you should apply the patch as soon as possible to protect your organization.
• Use multi-factor authentication (MFA). It adds a layer of security to your organization’s IT systems. MFA requires users to use two or more pieces of identification to authenticate themselves. This way is making it more difficult for attackers to access your systems.
• Monitor your IT systems for suspicious activity. You should monitor them for suspicious activity, such as unauthorized access attempts or unusual traffic patterns. As we can see, it will help you to identify and respond to attacks.
• Educate your users about security best practices. Users are the first defense against cyberattacks. You should educate your users about safety best practices. For example, they must avoid clicking suspicious links or opening attachments from unknown senders.

By following these steps, you can help to protect your organization against the 0-day vulnerability and other cyberattacks.

The post Ivanti 0-day exploited to target Norwegian government appeared first on Gridinsoft Blog.