Ivanti ICS and Policy Secure: Assessing the CVE-2023-46805 Threat

On January 10, 2024, a coalition of cyber security entities, including Ivanti, Volexity, and Mandiant, unveiled the discovery of a zero-day exploit sequence that impacted both Ivanti Connect Secure (previously known as Pulse Connect Secure) and the Ivanti Policy Secure gateway.

This set of exploits had been actively utilized by malicious actors since approximately December 2023.

The tandem of security weaknesses comprised an authentication circumvention issue (CVE-2023-46805) alongside a separate command injection flaw (CVE-2024-21887). These vulnerabilities offered unauthenticated attackers the opportunity to carry out operating system commands at the highest level of access.

Advisories from Ivanti established that these critical vulnerabilities are present across all the supported releases under versions 9.x and 22.x, with the impact on unsupported predecessors (versions 8.x and earlier) remaining unclear.

Our subsequent analysis focuses on version 22.3R1 (build 1647) of Ivanti Connect Secure.

Understanding the Critical Security Flaw: Breaking Down CVE-2023-46805

In the world of cybersecurity, vigilance is key as digital infrastructures are constantly under threat from various vulnerabilities.

Among these is CVE-2023-46805, a notable security flaw that has been identified within the web components of Ivanti Connect Secure (ICS) version 9.x and 22.x, alongside Ivanti Policy Secure solutions.

This particular vulnerability is severe because it permits a remote entity to sidestep the authentication mechanisms put in place to protect sensitive resources.

The Mechanics of CVE-2023-46805

The CVE-2023-46805 vulnerability is rooted in the authentication process’s weak points.

When these weaknesses are exploited, they provide an unauthorized user with the ability to bypass the standard login procedures, granting unfettered access to protected areas of the system that should only be accessible to authenticated users.

Such a lapse in security can have profound implications, including unauthorized data access, system control, and disruption of service integrity, all of which can have severe consequences for organizations and individuals alike.

In-Depth Look at the Ivanti Zero-Day Exploit Series: CVE-2023-46805 and CVE-2024-21887

On January 10, 2024, a coalition of cyber security entities, including Ivanti, Volexity, and Mandiant, unveiled the discovery of a zero-day exploit sequence that impacted both Ivanti Connect Secure (previously known as Pulse Connect Secure) and the Ivanti Policy Secure gateway.

This set of exploits had been actively utilized by malicious actors since approximately December 2023.

The tandem of security weaknesses comprised an authentication circumvention issue (CVE-2023-46805) alongside a separate command injection flaw (CVE-2024-21887).

These vulnerabilities offered unauthenticated attackers the opportunity to carry out operating system commands at the highest level of access.

Advisories from Ivanti established that these critical vulnerabilities are present across all the supported releases under versions 9.x and 22.x, with the impact on unsupported predecessors (versions 8.x and earlier) remaining unclear.

Our subsequent analysis focuses on version 22.3R1 (build 1647) of Ivanti Connect Secure.

Comprehensive Analysis of the Ivanti Security Breaches

The offensive against Ivanti Connect Secure VPN systems, attributed to the threat group UNC5221, demonstrated a high degree of technical sophistication.

The adversaries leveraged a pair of substantial vulnerabilities, starting with CVE-2023-46805 for bypassing authentication mechanisms and subsequently CVE-2024-21887 to inject commands.

In their arsenal, the threat actors employed meticulously crafted malware tools named THINSPOOL, ZIPLINE, and WARPWIRE, in addition to webshells dubbed LIGHTWIRE and WIREFIRE.

These invasive tools were ingeniously planted into secured segments of the Ivanti frameworks, which not only provided lasting access but also cloaked the attackers from detection.

In executing their operation, the attackers employed a systematized approach involving the download of tools for intelligence-gathering within the network, and strategic lateral movements utilizing the credentials they compromised.

A pivotal element of their modus operandi was the methodical collection and exploitation of sensitive user credentials through webshells that maintained continuous network access.

The WARPWIRE credential harvester exemplified this tactic, seamlessly integrating into a legitimate CS file to siphon plaintext login details, which were then transmitted to the command-and-control (C2) server through formatted HTTP GET requests:

hxxps://symantke[.]com/?&

Aiding their clandestine operations was the manipulative use of the Ivanti Integrity Checker Tool.

By exploiting the exclusion_list component of this legitimate Ivanti instrument, the attackers could insert any malicious tool into the Ivanti Connect Secure files and instruct the system to overlook its presence, thereby evading standard security protocols.

This technique was notably applied by the ZIPLINE Passive Backdoor, utilizing the –exclude parameter for enhanced discretion.

The deployment and utilization of webshells such as LIGHTWIRE and WIREFIRE were characteristic facets of this sophisticated cyber intrusion.

These webshells entrenched themselves within the network infrastructure, affording the assailants not just durable access but also the capability to remotely execute directives, laying the groundwork for extensive infiltration and data compromise.

Exploration of Ivanti Connect Secure Vulnerabilities

On the cybersecurity frontier, researchers from Rapid7 have delved into the intricacies of a critical exploit sequence that affected the Ivanti Connect Secure VPN platform.

The examination targeted version 22.3R1, which is distributed as a virtual appliance, revealing considerable security concerns due to two zero-day vulnerabilities, CVE-2023-46805 and CVE-2024-21887.

Deciphering Command Injection Exposure: CVE-2024-21887

A Proof of Concept (PoC) for the exploitation of the command injection vulnerability, identified as CVE-2024-21887, has been made publicly accessible.

Crafted by Rapid7, this operational PoC underscores the severity of these security gaps.

The Rapid7 team encountered significant encryption-related challenges while probing Ivanti Connect Secure’s system architecture.

A substantial portion of the system’s data was protected by LUKS encryption, rendering direct access impossible without the correct decryption credentials.

Traditional techniques for breaching such safeguards were futile, propelling the investigators to develop an unconventional jailbreaking strategy.

This inventive approach capitalized on the Grub bootloader’s recovery shell.

By customizing the Grub configuration and integrating the command init=//bin/sh, the researchers gained entry to a recovery shell, adeptly circumventing built-in security filters.

This breakthrough facilitated the retrieval of the 16-byte LUKS encryption key essential for accessing the encrypted filesystem.

They could extract the encryption key using the command cat -Ev /etc/lvmkey and subsequently navigate the hurdle of transporting it out of the recovery shell environment.

Penetrating the Web Component’s Access Controls

Moving forward, the research spotlight turned to the appliance’s web infrastructure and its approach to managing user access.

Two main components surfaced during the analysis: a custom C++ web server found at ics_disk1/root/home/bin/web, and a Python-based REST API developed with Flask.

The dichotomy between these components was striking—while the Flask application lacked direct authentication checks, the C++ web server took on the mantle for this critical security function, hinting at a split between authentication procedures and the application logic.

In assessing the risk for potential exploitation, the research team diligently extracted all hard-coded URI endpoints from both the web and REST server codebases.

Their methodology included devising a Ruby script to systematically issue requests to these endpoints and chronicle their HTTP response statuses.

This step was decisive in pinpointing reachable endpoints and provided a clearer mapping of the vulnerabilities at hand.

Unearthing the Exploit Chain

The vulnerabilities formed a dangerous exploit chain featuring two distinct instances of command injection threats, each conferring a separate tier of system access. Proper semicolon placement was imperative for the successful execution of arbitrary commands through these injections.

The first exploitable loophole permitted command execution under a lower-level user account. It relied on the manipulation of a certain API endpoint which failed to adequately cleanse incoming user inputs, thereby allowing for the execution of unintended commands.

To wield this vulnerability, a synthesized GET request was necessary, incorporating encoded commands to ensure proper functioning.

The subsequent and more severe command injection offered a pathway to escalate privileges to the root level. Exploitation required a meticulously crafted JSON payload.

By triggering the associated vulnerability and then leveraging a tailored curl request, attackers could execute commands with escalated privileges, wholly bypassing any form of authentication.

This sequence of vulnerabilities highlights the paramount importance of robust input validation and access control within secure systems. The collaboration between Rapid7 and Ivanti underscores the continuous need for vigilance and prompt responsiveness in the ever-evolving landscape of cybersecurity threats.

Addressing CVE-2023-46805: A Community Effort

The cybersecurity community has been swift in its response to this emerging threat.

A proof-of-concept (PoC) script has been made publicly accessible on GitHub, demonstrating how the vulnerability can be tested.

While the availability of such a script underscores the importance of remediation, it also serves as a reminder of the urgency with which companies should patch their systems against CVE-2023-46805.

The PoC script, named CVE-2023-46805.sh, provides a straightforward way to verify if a system is susceptible to this vulnerability. It works by utilizing common utilities like curl and json_pp to interact with the target system.

Upon executing the script with the proper command-line syntax, including the target URL and port number, one can determine the system’s exposure by observing the output.

If vulnerability is present, the script will showcase indicative responses that confirm the security gap.

Testing for Vulnerability CVE-2023-46805

This tutorial will guide you through the process of using a script to test whether your system is vulnerable to CVE-2023-46805.

The script, named CVE-2023-46805.sh, is a Proof-of-Concept (PoC) which can be found in a GitHub repository.

Step 1: Download the Script

Firstly, you need to acquire the script that’s designed to check for the vulnerability:

  1. Navigate to the specified GitHub repository where the CVE-2023-46805.sh script is hosted.
  2. Locate and download the CVE-2023-46805.sh file to your local machine.

The script:

#!/bin/sh

if [ "$#" -ne 1 ]; then
    echo "missing argument like:"
    echo "./CVE-2023-46805.sh https://my.vpn.ip:443"
    exit 1
fi

curl -k -s --path-as-is -X GET "$1/api/v1/totp/user-backup-code/../../system/system-information" | json_pp

Step 2: Make the Script Executable

Before running the script, it must be marked as executable:

  1. Open your terminal or command prompt.
  2. Browse to the directory containing the downloaded script.
  3. Run the command:
chmod +x CVE-2023-46805.sh

This command changes the permissions of the script, allowing it to run as an executable file.

Step 3: Prerequisites

Ensure you have the required applications installed on your system:

  • curl: A command-line tool for transferring data with URLs. It supports various protocols, including HTTP and HTTPS.
  • json_pp: A JSON pretty printer that formats JSON data in a more readable way.

You can usually install these tools using your system’s package manager.

Step 4: Running the Script

Execute the script by supplying the Fully Qualified Domain Name (FQDN) and port of the server you wish to test. Here’s how:

  1. In the terminal, invoke the script followed by the target server’s URL and port number. If the server uses HTTPS, ensure you include it in the URL:
./CVE-2023-46805.sh https://example.com:443

Replace https://example.com:443 with the actual FQDN and port number of the server you are testing against.

  1. Press Enter to run the script.

Step 5: Interpreting the Results

Upon completion, the script will produce output that you’ll need to interpret:

  • If the system is potentially vulnerable to the CVE-2023-46805 flaw, the script will return certain indicators within its output.
  • You should closely examine any returned data for signs of vulnerability as indicated by abnormal entries or patterns that suggest unauthorized access may be possible.

Step 6: Taking Action

If the script indicates that your system is vulnerable:

  • Immediately contact your security team or the relevant personnel responsible for system maintenance.
  • Consult Ivanti’s official advisories or support channels for guidance on mitigating the identified vulnerability.

Using the CVE-2023-46805.sh script provides a straightforward means of checking for a specific vulnerability within your system.

By following this tutorial, you can quickly ascertain exposure to CVE-2023-46805 and take appropriate steps to safeguard against potential exploits.

Mitigation and Response

Organizations relying on Ivanti ICS or Ivanti Policy Secure must prioritize updating their systems with the latest security patches.

Vendors often release updates that address such critical vulnerabilities, and delaying these updates only extends the window of opportunity for potential attackers.

Ivanti’s commitment to cybersecurity is being put to the test with the emergence of zero-day vulnerabilities in its products. Detailed scrutiny of these vulnerabilities has been vital in formulating responsive mitigation strategies.

In response to the security flaws identified — specifically CVE-2023-46805, an authentication bypass with high severity, and CVE-2024-21887 — a structured approach has been deployed by Ivanti to safeguard users.

Prioritizing interim defensive measures, Ivanti advocates for the adoption of crucial steps that serve as provisional shields till the development of comprehensive patches.

Patch Release Roadmap Unveiled by Ivanti

Understanding the immediate need for resolution, Ivanti has instituted a phased patch deployment strategy.

The goal is to span all software versions at risk, starting from the third week of January and extending through mid-February.

This well-organized release schedule is integral to ensuring that every susceptible software iteration is reinforced against these vulnerabilities systematically and promptly.

Alternative Update Path for Enhanced Protection

Further fortifying their commitment to user security, Ivanti suggests an alternative trajectory: updating existing Ivanti product versions to the latest iteration.

This proactive measure could grant users earlier access to crucial patches, potentially fortifying their systems ahead of the planned patch sequence for older versions.

Ivanti emphasizes the importance of promptly applying available patches upon release, coupled with adherence to the interim mitigation guidelines, to maximize defense mechanisms against possible exploits stemming from these identified vulnerabilities.

Implementing Temporary Measures for Security Flaws

Ivanti has proactively outlined a set of temporary measures to combat the recently disclosed vulnerabilities, offering a clear path to heightened security for their users.

Mitigation Via XML File Replacement

To immediately address these security concerns, Ivanti has initiated a mitigation process that involves the replacement of a current XML file with a new version, specifically mitigation.release.20240107.1.xml.

The new XML is available through Ivanti’s customer portal upon successful login (detailed retrieval instructions, along with download links, can be found on Ivanti’s forum).

It’s crucial to note that while this step is pivotal for protection, it may alter certain functionalities within Ivanti products.

Impact on Ivanti Connect Secure Features

Implementing the mitigation steps could modify certain operations within the Ivanti Connect Secure suite:

Administrator REST APIs:

Automation processes reliant on the REST API for configuration and surveillance could face disruptions. Notwithstanding, gateway access remains through the GUI interface.

Advanced HTML5 End User Portal:

Instances requiring a dynamically generated HTML5 bookmark might be affected. However, pre-existing bookmarks should operate normally.

Java Secure Application Manager (JSAM):

Users will notice an impact on JSAM functionality.

Rewriter and Browser Bar Functionality:

Use of the Rewriter Browser Bar is not supported post-mitigation.

Citrix StoreFront Interactions:

Usage of Citrix StoreFront with HTML5 experiences issues, whereas connections over CTS/WSAM remain unaffected.

Auto-Launch of PSAL:

New users, or those on fresh devices, will encounter difficulties with the auto-installation of PSAL. Manual installation serves as a reliable alternative.

Administrator CRL Configurations:

While changes to CRL configurations won’t be possible during this period, general CRL functions are maintained.

Adjustments in Ivanti Policy Secure

Upon the application of the temporary fix, certain features in Ivanti Policy Secure will also experience performance degradation:

  • Profiler Functions:

The Profiler and Remote Profiler features will work at a reduced capacity, though authentication processes will still proceed.

  • UEBA Adaptive Authentication:

This authentication feature will be unavailable during the mitigation phase.

Additional Recommendations from Ivanti

In support of these mitigation steps, Ivanti proposes the use of an independent Integrity Checker (ICT) instance for ICS VPN appliances, instead of the default option, to prevent the risks associated with potential compromise during the incident.

The ICT operates post-installation to identify and display any unfamiliar or altered files, thereby indicating possible tampering.

A reboot is required to complete this process, which archives a secure snapshot of these flagged files for subsequent decryption and analysis by Ivanti.

Before engaging the ICT, Ivanti stresses the importance of collecting necessary forensic data should any signs of system infiltration emerge.

Conclusion

CVE-2023-46805 represents a significant security flaw categorized as an authentication bypass vulnerability affecting the web component of Ivanti ICS versions 9.x and 22.x, as well as Ivanti Policy Secure.

The critical nature of this vulnerability lies in its potential to allow remote attackers to gain unauthorized access to restricted resources by circumventing established authentication mechanisms.

The presence of this vulnerability poses a high risk due to the ease with which exploiters can potentially compromise affected systems, leading to unauthorized data access or control.

Organizations utilizing the impacted Ivanti products must be vigilant and prioritize addressing CVE-2023-46805, given its notable severity score of 8.2, as rated on the Common Vulnerability Scoring System (CVSS).

It is critical for administrators and cybersecurity teams to promptly apply any available patches or follow the mitigation recommendations provided by Ivanti.

Staying abreast of updates from trusted security advisories and platforms would be beneficial in protecting against any exploitation attempts associated with CVE-2023-46805.