Ivanti SSRF Flaw Exploited by Hackers to Deploy New DSLog Backdoor
February 12, 2024
Hackers have taken advantage of a server-side request forgery (SSRF) vulnerability in Ivanti's Connect Secure, Policy Secure, and ZTA gateways to deploy a newly identified backdoor, DSLog, on susceptible devices. The vulnerability, known as CVE-2024-21893, was revealed as a zero-day being actively exploited on January 31, 2024. In response, Ivanti issued security updates and offered mitigation advice. The flaw affects the SAML component of the products in question and allows threat actors to bypass authentication and access restricted resources on Ivanti gateways running versions 9.x and 22.x. The updates that address the issue are Ivanti Connect Secure versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1 and 22.5R2.2, Ivanti Policy Secure version 22.5R1.1, and ZTA version 22.6R1.3.
On February 5, 2024, Shadowserver, a threat monitoring service, reported observing multiple threat actors attempting to exploit the flaw. Some of these actors used proof-of-concept (PoC) exploits previously published by Rapid7, but the success rate of these attempts was unknown at the time.
A new report by Orange Cyberdefense confirmed successful exploitation of CVE-2024-21893 to install the DSLog backdoor, which allows threat actors to execute commands on compromised Ivanti servers remotely. Orange first identified this new backdoor on February 3, 2024, after analyzing a compromised device that had implemented Ivanti's proposed XML mitigation but hadn't applied the patch.
By examining the logs of the compromised Ivanti device, Orange researchers discovered a backdoor had been injected into the appliance's codebase through SAML authentication requests containing encoded commands. These commands executed operations like outputting system information to a publicly accessible file (index2.txt), indicating the attackers' intention to perform internal reconnaissance and confirm their root access.
Subsequent SAML requests revealed attempts to secure read/write filesystem permissions on the breached device, detect modifications to a legitimate logging script (DSLog.pm), and inject the backdoor if the string indicating the modification was missing. The backdoor was inserted into the DSLog file, which logs various types of authenticated web requests and system logs. The threat actors used a unique SHA256 hash per appliance as an API key, requiring this hash in the HTTP User-Agent header for command execution. Orange clarified that no hash could be used to contact the same backdoor on another device.
The primary function of the DSLog backdoor is to execute commands as root. According to Orange, the DSLog backdoor can run 'any commands' on the breached device received via HTTP requests by the attackers, with the command included in a query parameter named 'cdi.' The HTTP requests carry a specific SHA256 hash that matches the contacted device, which also serves as a key to authenticate the request to the backdoor. The researchers noted that the webshell does not return status/code when attempting to contact it, making it particularly stealthy.
Despite the '.access' logs being erased on multiple compromised appliances to conceal the attackers' activities, the researchers found nearly 700 compromised Ivanti servers by examining other artifacts, such as the 'index' text files in the 'hxxp://{ip}/dana-na/imgs/' directory. Approximately 20% of these endpoints had been affected by earlier campaigns, while the others were vulnerable due to the lack of additional patches or mitigations. To mitigate all threats targeting Ivanti's products leveraging this SSRF or any of the other recently disclosed vulnerabilities impacting Ivanti devices, it is recommended to follow the latest recommendations by Ivanti.
Related News
- Ivanti Issues Urgent Warning for New Authentication Bypass Vulnerability
- Widespread Exploitation of Ivanti SSRF Zero-Day Vulnerability Observed
- CISA Instructs Federal Agencies to Disconnect Ivanti VPN Instances Amidst Zero-Day Exploits
- Ivanti Alerts on Two New High-Severity Vulnerabilities, One Currently Under Active Exploitation
Latest News
- C3RB3R Ransomware Exploits Confluence Vulnerability
- Raspberry Robin Worm Incorporates Two New 1-Day LPE Exploits
- Active Exploitation of New Fortinet RCE Vulnerability Confirmed by CISA
- Critical Remote Code Execution Vulnerability Detected in Fortinet's SSL VPN
- Ivanti Issues Urgent Warning for New Authentication Bypass Vulnerability
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.