Ivanti devices hit by wave of exploits for latest security hole
At this point you might be better off just shutting the stuff down
Various miscreants are attempting to exploit the latest Ivanti flaw, a server-side request forgery (SSRF) vulnerability tracked as CVE-2024-21893 that can be used to hijack equipment.
That's according to threat hunters tracking the string of CVE-listed security holes plaguing the VPN gateways in recent weeks.
Ivanti on January 31 disclosed and began patching CVE-2024-21893, which is present in the SAML component of of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) appliances. The vendor spotted the flaw as it was investigating and scrambling to patch two other zero-day bugs in those products: an authentication bypass vulnerability (CVE-2023-46805), and a common injection flaw (CVE-2024-21887), both of which are also under attack.
Crooks latched onto CVE-2024-21893 because the vulnerability can be used to bypass mitigation efforts for those pair of earlier flaws and gain control of network gateways.
"At the time of publication, the exploitation of CVE-2024-21893 appears to be targeted," Ivanti claimed last week, adding that it expected exploitation to ramp up sharply as word of the security hole spread.
"The SSRF can be chained to CVE-2024-21887 for unauthenticated command injection with root privileges," Rapid7 principal security researcher Stephen Fewer added on February 2.
The security shop also published a proof-of-concept (PoC) exploit for CVE-2024-21893 that same day.
And unsurprisingly, the infosec watchers at ShadowServer observed attempts to open backdoors on vulnerable equipment and other exploitation attempts by snoops. "To date, over 170 attacking IPs involved," according to the org, which noted it did spot exploitation prior to the Rapid7 PoC.
When asked about the attacks this month, an Ivanti spokesperson directed The Register to its earlier security alert. As of February 1, the vendor had issued a patch addressing all known vulnerabilities for Ivanti Connect Secure version 22.5R2.2 and Ivanti Policy Secure 22.5R1.1.
- Ivanti releases patches for VPN zero-days, discloses two more high-severity vulns
- Ivanti zero-day exploits explode as bevy of attackers get in on the act
- Congress told how Chinese goons plan to incite 'societal chaos' in the US
- US shorts China's Volt Typhoon crew targeting America's criticals
Also last week, the US government's Cybersecurity and Infrastructure Security Agency issued its second emergency directive about the flawed Ivanti systems, requiring federal agencies running Ivanti Connect Secure or Ivanti Policy Secure to disconnect these products from agency networks by February 2. ®