An Ivanti Join Safe and Ivanti Coverage Safe server-side request forgery (SSRF) vulnerability tracked as CVE-2024-21893 is at present beneath mass exploitation by a number of attackers.
Ivanti first warned in regards to the flaw within the gateway’s SAML elements on January 31, 2024, giving it a zero-day standing for restricted lively exploitation, impacting a small variety of prospects.
Exploitation of CVE-2024-21893 allowed attackers to bypass authentication and entry restricted assets on susceptible units (variations 9.x and 22.x).
Risk monitoring service Shadowserver is now seeing a number of attackers leveraging the SSRF bug, with 170 distinct IP addresses making an attempt to use the flaw.
The exploitation quantity of this explicit vulnerability is much better than that of different not too long ago fastened or mitigated Ivanti flaws, indicating a transparent shift within the attackers’ focus.
Though the proof-of-concept (PoC) exploit launched by Rapid7 researchers on February 2, 2024, has undoubtedly performed a job in aiding assaults, Shadowserver notes that they noticed attackers utilizing related strategies hours previous to the publication of the Rapid7 report.
Because of this hackers had already discovered learn how to leverage CVE-2024-21893 for unrestricted, unauthenticated entry to susceptible Ivanti endpoints.
In response to ShadowServer, there are at present nearly 22,500 Ivanti Join Safe units uncovered on the Web. Nevertheless, it’s unknown what number of are susceptible to this explicit vulnerability.
A safety mess
The disclosure of CVE-2024-21893 got here together with the discharge of safety updates for 2 different zero-days impacting the identical merchandise, CVE-2023-46805 and CVE-2024-21887, which Ivanti first found on January 10, 2024, sharing short-term mitigations.
These two flaws have been discovered to be exploited by Chinese language espionage risk group UTA0178/UNC5221 to put in webshells and backdoors on breached units. Infections from this marketing campaign peaked at round 1,700 in mid-January.
Regardless of preliminary mitigations, attackers bypassed defenses, compromising even the machine’s configuration recordsdata, main Ivanti to postpone its firmware patches, scheduled for January 22, to deal with the delicate risk.
As a result of scenario with lively exploitation of a number of important zero-day vulnerabilities, lack of efficient mitigations, and lack of safety updates for a number of the impacted product variations, the U.S. Cybersecurity & Infrastructure Safety Company (CISA) has ordered federal companies to disconnect all Ivanti Join Safe and Coverage Safe VPN home equipment.
Solely units which have been manufacturing facility reset and upgraded to the most recent firmware model must be reconnected to the community. Nevertheless, older variations that stay impacted are nonetheless with out a patch.
This instruction extends to non-public organizations, though it isn’t obligatory. Due to this fact, corporations ought to critically contemplate the safety standing of their Ivanti deployments and the belief of their surroundings typically.
