Pierluigi Paganini February 05, 2024
The Ivanti Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2024-21893, is currently being actively exploited in real-world attacks by various threat actors.
Last week Ivanti warned of two new high-severity vulnerabilities in its Connect Secure and Policy Secure solutions respectively tracked as CVE-2024-21888 (CVSS score: 8.8) and CVE-2024-21893 (CVSS score: 8.2). The software company also warned that one of these two vulnerabilities is under active exploitation in the wild.
The flaw CVE-2024-21893 is a server-side request forgery vulnerability in the SAML component of Connect Secure (9.x, 22.x), Policy Secure (9.x, 22.x) and Neurons for ZTA. An authenticated attacker can exploit the issue to access certain restricted resources.
The company warned that the situation is still evolving and multiple threat actors can rapidly adapt their tactics, techniques, and procedures to exploit these issues in their campaigns.
“At the time of publication, the exploitation of CVE-2024-21893 appears to be targeted. Ivanti expects the threat actor to change their behavior and we expect a sharp increase in exploitation once this information is public – similar to what we observed on 11 January following the 10 January disclosure.” reads the advisory.
“Be aware that the situation is still evolving. Ivanti will update this knowledge base article as more information becomes available.”
The software firm recommends importing the “mitigation.release.20240126.5.xml” file via the download portal as temporary workarounds to address CVE-2024-21888 and CVE-2024-21893.
On February 2, 2024, researchers from Rapid7 published a technical analysis of the issue along with a proof-of-concept (PoC) exploit on February 2, 2024. The availability of a PoC exploit code could help threat actors to launch attacks against Internet-facing installs.
Researchers from Shadowserver observed the exploitation of the flaw CVE-2024-21893 in the wild by multiple threat actors, however, they pointed out that the attacks began hours prior to the publication of the Rapid7 PoC code.
The attacks observed by Shadowserver involved hundreds of distinct IP addresses.
On January 1st, for the first time since its establishment, CISA ordered federal agencies to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure products within 48 hours.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, IVANTI)