VULNERA Pulse

Ivanti — Connect Secure, Policy Secure, and Neurons

CVE-2024-21893 / Added: Jan. 31, 2024

HIGH CVSS 8.20

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure), Ivanti Policy Secure, and Ivanti Neurons contain a server-side request forgery (SSRF) vulnerability in the SAML component that allows an attacker to access certain restricted resources without authentication.

Headlines

• Feb. 1, 2024 - CISA Orders Ivanti VPN Appliances Disconnected: What to Do
• Feb. 1, 2024 - CISA orders federal agencies to disconnect Ivanti VPN instances by February 2
• Feb. 1, 2024 - CISA orders federal agencies to disconnect Ivanti VPN appliances by Saturday
• Feb. 1, 2024 - Multiple malware used in attacks exploiting Ivanti VPN flaws
• Feb. 1, 2024 - Ivanti Releases Zero-Day Patches and Reveals Two New Bugs
• Feb. 1, 2024 - Warning: New Malware Emerges in Attacks Exploiting Ivanti VPN Vulnerabilities
• Jan. 31, 2024 - Ivanti security patches start to ship
• Jan. 31, 2024 - More Ivanti VPN Zero-Days Fuel Attack Frenzy as Patches Finally Roll
• Jan. 31, 2024 - Multiple Vulnerabilities in Ivanti Products Could Allow for Remote Code Execution
• Jan. 31, 2024 - After Delays, Ivanti Patches Zero-Days and Confirms New Exploit
• Jan. 31, 2024 - Ivanti releases patches for old and new VPN zero-days
• Jan. 31, 2024 - Ivanti warns of a new actively exploited zero-day
• Jan. 31, 2024 - CVE-2024-21888 & CVE-2024-21893: Ivanti Discloses Two Major Zero-Day Vulnerabilities
• Jan. 31, 2024 - Ivanti warns of new Connect Secure zero-day exploited in attacks
• Jan. 31, 2024 - Alert: Ivanti Discloses 2 New Zero-Day Flaws, One Under Active Exploitation

Back to top ↑

Apple — Multiple Products

CVE-2022-48618 / Added: Jan. 31, 2024

HIGH CVSS 7.80 EPSS Score 0.69 EPSS Percentile 78.14

Apple iOS, iPadOS, macOS, tvOS, and watchOS contain an improper authentication vulnerability that allows an attacker with read and write capabilities to bypass Pointer Authentication.

Headlines

• Feb. 1, 2024 - Apple Patches Vision Pro Vulnerability as CISA Warns of iOS Flaw Exploitation
• Feb. 1, 2024 - CISA Warns of Active Exploitation of Critical Vulnerability in iOS, iPadOS, and macOS
• Jan. 31, 2024 - CISA adds Apple improper authentication bug to its Known Exploited Vulnerabilities catalog
• Jan. 31, 2024 - CISA warns of patched iPhone kernel bug now exploited in attacks

Back to top ↑

CVE-2024-21887

CRITICAL CVSS 9.10 EPSS Score 96.42 EPSS Percentile 99.48

CISA Known Exploited Remote Code Execution Public Exploits Available

Published: Jan. 12, 2024

A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Vendor Impacted: Ivanti

Products Impacted: Connect Secure And Policy Secure, Connect Secure, Policy Secure

Quotes

• Disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks
• In addition to UNC5221, we acknowledge the possibility that one or more related groups may be associated with the activity
• CHAINLINE is a Python web shell backdoor that is embedded in a Ivanti Connect Secure Python package that enables arbitrary command execution
• Both Havoc and Mythic have also become relatively popular but are still observed in far lower numbers than Cobalt Strike, Meterpreter, or Viper
• Sliver 11 is an open-source adversary simulation tool that is gaining popularity among threat actors, since it provides a practical command-and-control framework
• As part of our ongoing investigation into CVE-2023-46805 and CVE-2024-21887 we have identified additional vulnerabilities in Ivanti Connect Secure Ivanti Policy Secure, and Ivanti Neurons for ZTA
• If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system
• We are reporting these vulnerabilities in this knowledge base article as it is resolved in the patch detailed below. We have also provided new mitigation for supported versions where the patch has not been released
• As part of our ongoing investigation into the vulnerabilities reported on 10 January in Ivanti Connect Secure, Ivanti Policy Secure and ZTA gateways, we have discovered new vulnerabilities. These vulnerabilities impact all supported versions – Version 9.x and 22.x
• Additionally, Linux-based tools identified in incident response investigations use code from multiple Chinese-language Github repositories. As noted in our previous blog post, UNC5221 has largely leveraged TTPs associated with zero-day exploitation of edge infrastructure by suspected PRC nexus actors
• Agencies running affected Ivanti Connect Secure or Ivanti Policy Secure products are required to immediately perform the following tasks: As soon as possible and no later than 11:59PM on Friday February 2, 2024, disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks
• CVE-2024-21888 allows for privilege escalation and CVE-2024-21893 is a server-side request forgery in the SAML component which allows a threat actor to access certain restricted resources without authentication. We have no evidence of customers being impacted by CVE-2024-21888 at this time, and we are aware of a limited number of customers impacted by CVE-2024-21887

Headlines

• Feb. 1, 2024 - CISA Orders Ivanti VPN Appliances Disconnected: What to Do
• Feb. 1, 2024 - CISA orders federal agencies to disconnect Ivanti VPN instances by February 2
• Feb. 1, 2024 - CISA orders federal agencies to disconnect Ivanti VPN appliances by Saturday
• Feb. 1, 2024 - Multiple malware used in attacks exploiting Ivanti VPN flaws
• Feb. 1, 2024 - Ivanti Releases Zero-Day Patches and Reveals Two New Bugs
• Feb. 1, 2024 - Warning: New Malware Emerges in Attacks Exploiting Ivanti VPN Vulnerabilities
• Jan. 31, 2024 - Ivanti security patches start to ship
• Jan. 31, 2024 - More Ivanti VPN Zero-Days Fuel Attack Frenzy as Patches Finally Roll
• Jan. 31, 2024 - Multiple Vulnerabilities in Ivanti Products Could Allow for Remote Code Execution
• Jan. 31, 2024 - After Delays, Ivanti Patches Zero-Days and Confirms New Exploit
• Jan. 31, 2024 - Ivanti warns of a new actively exploited zero-day
• Jan. 31, 2024 - CVE-2024-21888 & CVE-2024-21893: Ivanti Discloses Two Major Zero-Day Vulnerabilities
• Jan. 31, 2024 - Ivanti warns of new Connect Secure zero-day exploited in attacks
• Jan. 31, 2024 - Alert: Ivanti Discloses 2 New Zero-Day Flaws, One Under Active Exploitation
• Jan. 31, 2024 - Threat actors exploit Ivanti VPN bugs to deploy KrustyLoader Malware
• Jan. 31, 2024 - Chinese Hackers Exploiting VPN Flaws to Deploy KrustyLoader Malware
• Jan. 30, 2024 - Ivanti Zero-Day Patches Delayed as 'KrustyLoader' Attacks Mount
• Jan. 30, 2024 - Rust Payloads Exploiting Ivanti 0-Days Linked to Sliver Toolkit
• Jan. 30, 2024 - New Mitigations to Defend Against Exploitation of Ivanti Connect Secure and Policy Secure Gateways | CISA
• Jan. 30, 2024 - Updated: New Software Updates and Mitigations to Defend Against Exploitation of Ivanti Connect Secure and Policy Secure Gateways | CISA

CVE-2024-21888

HIGH CVSS 8.80

Risk Context N/A

Published: Jan. 31, 2024

A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator.

Vendor Impacted: Ivanti

Products Impacted: Connect Secure, Policy Secure

Quotes

• Out of an abundance of caution
• In addition to UNC5221, we acknowledge the possibility that one or more related groups may be associated with the activity
• CHAINLINE is a Python web shell backdoor that is embedded in a Ivanti Connect Secure Python package that enables arbitrary command execution
• We are reporting these vulnerabilities in this knowledge base article as it is resolved in the patch detailed below. We have also provided new mitigation for supported versions where the patch has not been released
• As part of our ongoing investigation into the vulnerabilities reported on 10 January in Ivanti Connect Secure, Ivanti Policy Secure and ZTA gateways, we have discovered new vulnerabilities. These vulnerabilities impact all supported versions – Version 9.x and 22.x
• Additionally, Linux-based tools identified in incident response investigations use code from multiple Chinese-language Github repositories. As noted in our previous blog post, UNC5221 has largely leveraged TTPs associated with zero-day exploitation of edge infrastructure by suspected PRC nexus actors
• Agencies running affected Ivanti Connect Secure or Ivanti Policy Secure products are required to immediately perform the following tasks: As soon as possible and no later than 11:59PM on Friday February 2, 2024, disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks
• CVE-2024-21888 allows for privilege escalation and CVE-2024-21893 is a server-side request forgery in the SAML component which allows a threat actor to access certain restricted resources without authentication. We have no evidence of customers being impacted by CVE-2024-21888 at this time, and we are aware of a limited number of customers impacted by CVE-2024-21887

Headlines

• Feb. 1, 2024 - CISA Orders Ivanti VPN Appliances Disconnected: What to Do
• Feb. 1, 2024 - CISA orders federal agencies to disconnect Ivanti VPN instances by February 2
• Feb. 1, 2024 - Multiple malware used in attacks exploiting Ivanti VPN flaws
• Feb. 1, 2024 - Ivanti Releases Zero-Day Patches and Reveals Two New Bugs
• Feb. 1, 2024 - Warning: New Malware Emerges in Attacks Exploiting Ivanti VPN Vulnerabilities
• Jan. 31, 2024 - Ivanti security patches start to ship
• Jan. 31, 2024 - More Ivanti VPN Zero-Days Fuel Attack Frenzy as Patches Finally Roll
• Jan. 31, 2024 - After Delays, Ivanti Patches Zero-Days and Confirms New Exploit
• Jan. 31, 2024 - Ivanti releases patches for old and new VPN zero-days
• Jan. 31, 2024 - Ivanti warns of a new actively exploited zero-day
• Jan. 31, 2024 - CVE-2024-21888 & CVE-2024-21893: Ivanti Discloses Two Major Zero-Day Vulnerabilities
• Jan. 31, 2024 - Ivanti warns of new Connect Secure zero-day exploited in attacks
• Jan. 31, 2024 - Alert: Ivanti Discloses 2 New Zero-Day Flaws, One Under Active Exploitation

CVE-2024-23222

HIGH CVSS 8.80 EPSS Score 0.18 EPSS Percentile 55.21

CISA Known Exploited Actively Exploited

Published: Jan. 23, 2024

A type confusion issue was addressed with improved checks. This issue is fixed in tvOS 17.3, iOS 17.3 and iPadOS 17.3, macOS Sonoma 14.3, iOS 16.7.5 and iPadOS 16.7.5, Safari 17.3, macOS Ventura 13.6.4, macOS Monterey 12.7.3. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited.

Vendor Impacted: Apple

Products Impacted: Iphone Os, Macos, Multiple Products, Tvos, Safari, Ipados

Quotes

• An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication
• Will almost certainly increase the volume and heighten the impact of cyberattacks over the next two years
• Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited
• Most frameworks available in iPadOS and iOS are also included in visionOS, which means nearly all iPad and iPhone apps can run on visionOS, unmodified
• The SEC determined that the unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent 'SIM swap' attack

Headlines

• Feb. 1, 2024 - Apple Patches Vision Pro Vulnerability as CISA Warns of iOS Flaw Exploitation
• Feb. 1, 2024 - CISA Warns of Active Exploitation of Critical Vulnerability in iOS, iPadOS, and macOS
• Feb. 1, 2024 - CVE-2024-23222: Apple fixes zero-day vulnerability exploited in Apple Vision Pro
• Jan. 31, 2024 - CISA warns of patched iPhone kernel bug now exploited in attacks
• Jan. 31, 2024 - Apple and Google Just Patched Their First Zero-Day Flaws of the Year
• Jan. 29, 2024 - Tesla hackers win big at first Pwn2Own automotive hack fest
• Jan. 28, 2024 - Week in review: 15 million Trello users’ scraped data on sale, attackers can steal NTLM hashes

CVE-2024-23898

HIGH CVSS 8.80 EPSS Score 0.09 EPSS Percentile 38.41

Risk Context N/A

Published: Jan. 24, 2024

Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking (CSWSH) vulnerability, allowing attackers to execute CLI commands on the Jenkins controller.

Vendor Impacted: Jenkins

Product Impacted: Jenkins

Quotes

• This vulnerability stems from the use of the args4j library for parsing command arguments and options on the Jenkins controller
• Jenkins uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has a feature that replaces an @ character followed by a file path in an argument with the file’s contents (expandAtFiles). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it

Headlines

• Jan. 31, 2024 - ACSC presses enterprises to patch Jenkins
• Jan. 29, 2024 - Multiple Vulnerabilities in Jenkins Could Allow for Remote Code Execution
• Jan. 29, 2024 - Critical Jenkins RCE flaw exploited in the wild. Patch now! (CVE-2024-23897)
• Jan. 29, 2024 - CI/CD at Risk as Exploits Released For Critical Jenkins Bug
• Jan. 28, 2024 - Exploits released for critical Jenkins RCE flaw, patch now

CVE-2024-23651

HIGH CVSS 8.70

Remote Code Execution

Published: Jan. 31, 2024

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container. The issue has been fixed in v0.12.5. Workarounds include, avoiding using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with --mount=type=cache,source=... options.

Quotes

• Several exploit methods which allow for full container breakouts
• Since this vulnerability affects anybody using containers to build applications — essentially every cloud-native developer worldwide — unchecked access could potentially compromise entire Docker or Kubernetes host systems
• These container escapes could allow an attacker to gain unauthorized access to the underlying host operating system from within the container and potentially permit access to sensitive data (credentials, customer info, etc.), and launch further attacks, especially when the access gained includes superuser privileges

Headlines

• Feb. 1, 2024 - Moby and Open Container Initiative Release Critical Updates for Multiple Vulnerabilities Affecting Docker-related Components | CISA
• Feb. 1, 2024 - CVE-2024-21626: Docker Confronts Critical Container Escape Threat
• Feb. 1, 2024 - Containers inherit breakout bugs in Linux tools
• Jan. 31, 2024 - 'Leaky Vessels' Cloud Bugs Allow Container Escapes Globally
• Jan. 31, 2024 - RunC Flaws Enable Container Escapes, Granting Attackers Host Access

CVE-2024-21626

HIGH CVSS 8.60

Remote Code Execution Public Exploits Available

Published: Jan. 31, 2024

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue.

Quotes

• Getting started with AWS Fargate using Amazon EKS
• Several exploit methods which allow for full container breakouts
• Since this vulnerability affects anybody using containers to build applications — essentially every cloud-native developer worldwide — unchecked access could potentially compromise entire Docker or Kubernetes host systems
• These container escapes could allow an attacker to gain unauthorized access to the underlying host operating system from within the container and potentially permit access to sensitive data (credentials, customer info, etc.), and launch further attacks, especially when the access gained includes superuser privileges
• These vulnerabilities can only be exploited if a user actively engages with malicious content by incorporating it into the build process or running a container from a suspect image (particularly relevant for the CVE-2024-21626 container escape vulnerability). Potential impacts include unauthorized access to the host filesystem, compromising the integrity of the build cache, and, in the case of CVE-2024-21626, a scenario that could lead to full container escape

Headlines

• Feb. 1, 2024 - Moby and Open Container Initiative Release Critical Updates for Multiple Vulnerabilities Affecting Docker-related Components | CISA
• Feb. 1, 2024 - CVE-2024-21626: Docker Confronts Critical Container Escape Threat
• Feb. 1, 2024 - Containers inherit breakout bugs in Linux tools
• Jan. 31, 2024 - 'Leaky Vessels' Cloud Bugs Allow Container Escapes Globally
• Jan. 31, 2024 - CVE-2024-21626 - Runc container issue
• Jan. 31, 2024 - RunC Flaws Enable Container Escapes, Granting Attackers Host Access

CVE-2023-46805

HIGH CVSS 8.20 EPSS Score 93.05 EPSS Percentile 98.87

CISA Known Exploited Remote Code Execution Public Exploits Available

Published: Jan. 12, 2024

An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

Vendor Impacted: Ivanti

Products Impacted: Connect Secure And Policy Secure, Connect Secure, Policy Secure

Quotes

• Disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks
• In addition to UNC5221, we acknowledge the possibility that one or more related groups may be associated with the activity
• CHAINLINE is a Python web shell backdoor that is embedded in a Ivanti Connect Secure Python package that enables arbitrary command execution
• Both Havoc and Mythic have also become relatively popular but are still observed in far lower numbers than Cobalt Strike, Meterpreter, or Viper
• Sliver 11 is an open-source adversary simulation tool that is gaining popularity among threat actors, since it provides a practical command-and-control framework
• As soon as possible and no later than 11:59PM on Friday February 2, 2024, disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks
• As part of our ongoing investigation into CVE-2023-46805 and CVE-2024-21887 we have identified additional vulnerabilities in Ivanti Connect Secure Ivanti Policy Secure, and Ivanti Neurons for ZTA
• If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system
• We are reporting these vulnerabilities in this knowledge base article as it is resolved in the patch detailed below. We have also provided new mitigation for supported versions where the patch has not been released
• As part of our ongoing investigation into the vulnerabilities reported on 10 January in Ivanti Connect Secure, Ivanti Policy Secure and ZTA gateways, we have discovered new vulnerabilities. These vulnerabilities impact all supported versions – Version 9.x and 22.x
• Additionally, Linux-based tools identified in incident response investigations use code from multiple Chinese-language Github repositories. As noted in our previous blog post, UNC5221 has largely leveraged TTPs associated with zero-day exploitation of edge infrastructure by suspected PRC nexus actors

Headlines

• Feb. 1, 2024 - CISA orders federal agencies to disconnect Ivanti VPN instances by February 2
• Feb. 1, 2024 - CISA orders federal agencies to disconnect Ivanti VPN appliances by Saturday
• Feb. 1, 2024 - Multiple malware used in attacks exploiting Ivanti VPN flaws
• Feb. 1, 2024 - Ivanti Releases Zero-Day Patches and Reveals Two New Bugs
• Feb. 1, 2024 - Warning: New Malware Emerges in Attacks Exploiting Ivanti VPN Vulnerabilities
• Jan. 31, 2024 - Ivanti security patches start to ship
• Jan. 31, 2024 - More Ivanti VPN Zero-Days Fuel Attack Frenzy as Patches Finally Roll
• Jan. 31, 2024 - Multiple Vulnerabilities in Ivanti Products Could Allow for Remote Code Execution
• Jan. 31, 2024 - After Delays, Ivanti Patches Zero-Days and Confirms New Exploit
• Jan. 31, 2024 - Ivanti warns of a new actively exploited zero-day
• Jan. 31, 2024 - CVE-2024-21888 & CVE-2024-21893: Ivanti Discloses Two Major Zero-Day Vulnerabilities
• Jan. 31, 2024 - Ivanti warns of new Connect Secure zero-day exploited in attacks
• Jan. 31, 2024 - Alert: Ivanti Discloses 2 New Zero-Day Flaws, One Under Active Exploitation
• Jan. 31, 2024 - Threat actors exploit Ivanti VPN bugs to deploy KrustyLoader Malware
• Jan. 31, 2024 - Chinese Hackers Exploiting VPN Flaws to Deploy KrustyLoader Malware
• Jan. 30, 2024 - Ivanti Zero-Day Patches Delayed as 'KrustyLoader' Attacks Mount
• Jan. 30, 2024 - Updated: New Software Updates and Mitigations to Defend Against Exploitation of Ivanti Connect Secure and Policy Secure Gateways | CISA
• Jan. 30, 2024 - New Mitigations to Defend Against Exploitation of Ivanti Connect Secure and Policy Secure Gateways | CISA
• Jan. 28, 2024 - Cybersecurity Alert: Unseen WIREFIRE Web Shell Variant in ICS VPN Appliances

CVE-2024-21893

HIGH CVSS 8.20

CISA Known Exploited Remote Code Execution

Published: Jan. 31, 2024

A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

Vendor Impacted: Ivanti

Products Impacted: Neurons For Zero-Trust Access, Connect Secure, Policy Secure, And Neurons, Connect Secure, Policy Secure

Quotes

• Out of an abundance of caution
• The exploitation of CVE-2024-21893 appears to be targeted
• Disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks
• In addition to UNC5221, we acknowledge the possibility that one or more related groups may be associated with the activity
• CHAINLINE is a Python web shell backdoor that is embedded in a Ivanti Connect Secure Python package that enables arbitrary command execution
• We are reporting these vulnerabilities in this knowledge base article as it is resolved in the patch detailed below. We have also provided new mitigation for supported versions where the patch has not been released
• As part of our ongoing investigation into the vulnerabilities reported on 10 January in Ivanti Connect Secure, Ivanti Policy Secure and ZTA gateways, we have discovered new vulnerabilities. These vulnerabilities impact all supported versions – Version 9.x and 22.x
• Additionally, Linux-based tools identified in incident response investigations use code from multiple Chinese-language Github repositories. As noted in our previous blog post, UNC5221 has largely leveraged TTPs associated with zero-day exploitation of edge infrastructure by suspected PRC nexus actors
• At the time of publication, the exploitation of CVE-2024-21893 appears to be targeted. Ivanti expects the threat actor to change their behavior and we expect a sharp increase in exploitation once this information is public – similar to what we observed on 11 January following the 10 January disclosure
• Agencies running affected Ivanti Connect Secure or Ivanti Policy Secure products are required to immediately perform the following tasks: As soon as possible and no later than 11:59PM on Friday February 2, 2024, disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks
• CVE-2024-21888 allows for privilege escalation and CVE-2024-21893 is a server-side request forgery in the SAML component which allows a threat actor to access certain restricted resources without authentication. We have no evidence of customers being impacted by CVE-2024-21888 at this time, and we are aware of a limited number of customers impacted by CVE-2024-21887

Headlines

• Feb. 1, 2024 - CISA Orders Ivanti VPN Appliances Disconnected: What to Do
• Feb. 1, 2024 - CISA orders federal agencies to disconnect Ivanti VPN instances by February 2
• Feb. 1, 2024 - CISA orders federal agencies to disconnect Ivanti VPN appliances by Saturday
• Feb. 1, 2024 - Multiple malware used in attacks exploiting Ivanti VPN flaws
• Feb. 1, 2024 - Ivanti Releases Zero-Day Patches and Reveals Two New Bugs
• Feb. 1, 2024 - Warning: New Malware Emerges in Attacks Exploiting Ivanti VPN Vulnerabilities
• Jan. 31, 2024 - Ivanti security patches start to ship
• Jan. 31, 2024 - More Ivanti VPN Zero-Days Fuel Attack Frenzy as Patches Finally Roll
• Jan. 31, 2024 - Multiple Vulnerabilities in Ivanti Products Could Allow for Remote Code Execution
• Jan. 31, 2024 - After Delays, Ivanti Patches Zero-Days and Confirms New Exploit
• Jan. 31, 2024 - Ivanti releases patches for old and new VPN zero-days
• Jan. 31, 2024 - Ivanti warns of a new actively exploited zero-day
• Jan. 31, 2024 - CVE-2024-21888 & CVE-2024-21893: Ivanti Discloses Two Major Zero-Day Vulnerabilities
• Jan. 31, 2024 - Ivanti warns of new Connect Secure zero-day exploited in attacks
• Jan. 31, 2024 - Alert: Ivanti Discloses 2 New Zero-Day Flaws, One Under Active Exploitation

CVE-2023-6246

HIGH CVSS 7.80

Remote Code Execution

Published: Jan. 31, 2024

A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer.

Vendors Impacted: Fedoraproject, Gnu

Products Impacted: Fedora, Glibc

Quotes

• This flaw allows local privilege escalation, enabling an unprivileged user to gain full root access
• We discovered a heap-based buffer overflow in the GNU C Library’s __vsyslog_internal() function, which is called by both syslog() and vsyslog()
• Although the vulnerability requires specific conditions to be exploited (such as an unusually long argv[0] or openlog() ident argument), its impact is significant due to the widespread use of the affected library
• The buffer overflow issue poses a significant threat as it could allow local privilege escalation, enabling an unprivileged user to gain full root access through crafted inputs to applications that employ these logging functions

Headlines

• Feb. 1, 2024 - Glibc library vulnerability published
• Jan. 31, 2024 - GNU C Library Vulnerability Leads to Full Root Access
• Jan. 31, 2024 - New Glibc Flaw Grants Attackers Root Access on Major Linux Distros
• Jan. 31, 2024 - Root Access Risk: CVE-2023-6246 Exposes Critical Flaw in Linux's glibc
• Jan. 30, 2024 - New Linux glibc flaw lets attackers get root on major distros
• Jan. 30, 2024 - Root access vulnerability in glibc library impacts many Linux distros

CVE-2024-23897

HIGH CVSS 7.50 EPSS Score 11.94 EPSS Percentile 94.86

Actively Exploited Remote Code Execution Public Exploits Available

Published: Jan. 24, 2024

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.

Vendor Impacted: Jenkins

Product Impacted: Jenkins

Quotes

• This vulnerability stems from the use of the args4j library for parsing command arguments and options on the Jenkins controller
• This allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process
• As of publication of this advisory, the Jenkins security team has found ways to read the first three lines of files in recent releases of Jenkins without having any plugins installed, and has not identified any plugins that would increase this line count
• We host hundreds of honeypots across the globe and we have sniffed connections conducting the CVE-2024-23897 attacks against Jenkins instances supporting anonymous access since 1/25. We have confirmed the in-the-wild exploitation and extracted the exploit from the attack
• Jenkins uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has a feature that replaces an @ character followed by a file path in an argument with the file’s contents (expandAtFiles). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it

Headlines

• Jan. 31, 2024 - 45,000 Exposed Jenkins Instances Found Amid Reports of In-the-Wild Exploitation
• Jan. 31, 2024 - ACSC presses enterprises to patch Jenkins
• Jan. 30, 2024 - 45,000 Jenkins servers remain vulnerable to RCE attacks
• Jan. 29, 2024 - PoC Exploits Heighten Risks Around Critical New Jenkins Vuln
• Jan. 29, 2024 - Multiple Vulnerabilities in Jenkins Could Allow for Remote Code Execution
• Jan. 29, 2024 - Critical Jenkins RCE flaw exploited in the wild. Patch now! (CVE-2024-23897)
• Jan. 29, 2024 - CI/CD at Risk as Exploits Released For Critical Jenkins Bug
• Jan. 28, 2024 - Multiple PoC exploits released for Jenkins flaw CVE-2024-23897
• Jan. 28, 2024 - Exploits released for critical Jenkins RCE flaw, patch now