A just lately disclosed server-side request forgery (SSRF) vulnerability impacting Ivanti Join Safe and Coverage Safe merchandise has come underneath mass exploitation.
The Shadowserver Basis stated it noticed exploitation makes an attempt originating from greater than 170 distinctive IP addresses that intention to ascertain a reverse shell, amongst others.
The assaults exploit CVE-2024-21893 (CVSS rating: 8.2), an SSRF flaw within the SAML element of Ivanti Join Safe, Coverage Safe, and Neurons for ZTA that enables an attacker to entry in any other case restricted assets with out authentication.
Ivanti had beforehand divulged that the vulnerability had been exploited in focused assaults aimed toward a “restricted variety of clients,” however cautioned the established order may change submit public disclosure.
That is precisely what seems to have occurred, particularly following the launch of a proof-of-concept (PoC) exploit by cybersecurity agency Rapid7 final week.
The PoC entails fashioning an exploit chain that mixes CVE-2024-21893 with CVE-2024-21887, a beforehand patched command injection flaw, to realize unauthenticated distant code execution.
It is price noting right here that CVE-2024-21893 is an alias for CVE-2023-36661 (CVSS rating: 7.5), an SSRF vulnerability current within the open-source Shibboleth XMLTooling library. It was fastened by the maintainers in June 2023 with the discharge of model 3.2.4.
Safety researcher Will Dormann additional identified different out-of-date open-source parts utilized by Ivanti VPN home equipment, akin to curl 7.19.7, openssl 1.0.2n-fips, perl 5.6.1, psql 9.6.14, cabextract 0.5, ssh 5.3p1, and unzip 6.00, thus opening the door for extra assaults.
The event comes as menace actors have discovered a technique to bypass Ivanti’s preliminary mitigation, prompting the Utah-based firm to launch a second mitigation file. As of February 1, 2024, it has begun releasing official patches to handle all of the vulnerabilities.
Final week, Google-owned Mandiant revealed that a number of menace actors are leveraging CVE-2023-46805 and CVE-2024-21887 to deploy an array of customized net shells tracked as BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE.
Palo Alto Networks Unit 42 stated it noticed 28,474 uncovered situations of Ivanti Join Safe and Coverage Safe in 145 international locations between January 26 and 30, 2024, with 610 compromised situations detected in 44 international locations as of January 23, 2024.
