A not too long ago disclosed server-side request forgery (SSRF) vulnerability impacting Ivanti Join Safe and Coverage Safe merchandise has come below mass exploitation.
The Shadowserver Basis stated it noticed exploitation makes an attempt originating from greater than 170 distinctive IP addresses that goal to ascertain a reverse shell, amongst others.
The assaults exploit CVE-2024-21893 (CVSS rating: 8.2), an SSRF flaw within the SAML part of Ivanti Join Safe, Coverage Safe, and Neurons for ZTA that permits an attacker to entry in any other case restricted sources with out authentication.
Ivanti had beforehand divulged that the vulnerability had been exploited in focused assaults aimed toward a “restricted variety of clients,” however cautioned the established order may change submit public disclosure.
That is precisely what seems to have occurred, particularly following the discharge of a proof-of-concept (PoC) exploit by cybersecurity agency Rapid7 final week.
The PoC entails fashioning an exploit chain that mixes CVE-2024-21893 with CVE-2024-21887, a beforehand patched command injection flaw, to attain unauthenticated distant code execution.
It is value noting right here that CVE-2024-21893 is an alias for CVE-2023-36661 (CVSS rating: 7.5), an SSRF vulnerability current within the open-source Shibboleth XMLTooling library. It was mounted by the maintainers in June 2023 with the discharge of model 3.2.4.
Safety researcher Will Dormann additional identified different out-of-date open-source elements utilized by Ivanti VPN home equipment, similar to curl 7.19.7, openssl 1.0.2n-fips, perl 5.6.1, psql 9.6.14, cabextract 0.5, ssh 5.3p1, and unzip 6.00, thus opening the door for extra assaults.
The event comes as risk actors have discovered a strategy to bypass Ivanti’s preliminary mitigation, prompting the Utah-based firm to launch a second mitigation file. As of February 1, 2024, it has begun releasing official patches to handle all of the vulnerabilities.
Final week, Google-owned Mandiant revealed that a number of risk actors are leveraging CVE-2023-46805 and CVE-2024-21887 to deploy an array of customized net shells tracked as BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE.
Palo Alto Networks Unit 42 stated it noticed 28,474 uncovered cases of Ivanti Join Safe and Coverage Safe in 145 international locations between January 26 and 30, 2024, with 610 compromised cases detected in 44 international locations as of January 23, 2024.
