An SSRF vulnerability (CVE-2024-21893) in Ivanti's Connect Secure and Policy Secure is currently being exploited by numerous attackers. Ivanti first issued a warning about this flaw in the gateway's SAML components on January 31, 2024, labeling it as a zero-day due to its active, albeit limited, exploitation affecting a handful of customers. The exploitation of this vulnerability allows attackers to bypass authentication protocols and gain access to restricted resources on vulnerable devices, specifically versions 9.x and 22.x.
Shadowserver, a threat monitoring service, has reported an increase in the number of attackers leveraging this SSRF bug. The service has identified 170 distinct IP addresses attempting to exploit the flaw. The volume of exploitation of this particular vulnerability is significantly higher than other recently addressed or mitigated Ivanti vulnerabilities, indicating a shift in the focus of the attackers.
While the release of a proof-of-concept (PoC) exploit by Rapid7 researchers on February 2, 2024, may have aided the attacks, Shadowserver observed that attackers were employing similar methods hours before the publication of the Rapid7 report. This suggests that the attackers had already discovered how to utilize CVE-2024-21893 for unrestricted, unauthenticated access to vulnerable Ivanti endpoints.
According to ShadowServer, nearly 22,500 Ivanti Connect Secure devices are currently exposed on the internet. However, it remains uncertain how many of these devices are susceptible to this specific vulnerability.
The disclosure of CVE-2024-21893 was accompanied by the release of security updates for two other zero-days affecting the same products, CVE-2023-46805 and CVE-2024-21887, which Ivanti discovered on January 10, 2024, and provided temporary mitigations for. These two vulnerabilities were exploited by the Chinese espionage threat group UTA0178/UNC5221 to install webshells and backdoors on compromised devices. This campaign reached its peak with around 1,700 infections in mid-January. Despite initial mitigations, the attackers were able to bypass these defenses, compromising even the configuration files of the devices. This led Ivanti to delay its firmware patches, originally scheduled for January 22, to address the sophisticated threat.
In light of the ongoing exploitation of multiple critical zero-day vulnerabilities, the absence of effective mitigations, and the lack of security updates for some of the affected product versions, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) has directed federal agencies to disconnect all Ivanti Connect Secure and Policy Secure VPN appliances. Only devices that have been factory reset and updated to the latest firmware version are allowed to reconnect to the network. However, older versions that remain affected are still without a patch. This directive also applies to private organizations, though it is not mandatory. As such, companies should thoroughly evaluate the security status of their Ivanti deployments and the overall trustworthiness of their environments.