Powered by MOMENTUM MEDIA
cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Powered by MOMENTUM MEDIA
Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Explore

SECTIONS

MORE

search button

Researchers warn of exploitation of Ivanti zero-days

Both Ivanti Connect Secure and Ivanti Policy Secure gateways have been observed being actively exploited.

user icon David Hollingworth
Fri, 12 Jan 2024 Security
Researchers warn of exploitation of Ivanti zero-days
expand image

Researchers from Rapid7 and security firm Volexity are warning of active exploitation of a pair of vulnerabilities in Ivanti gateways.

Ivanti flagged the vulnerabilities on 11 January, pointing out that they were being exploited and providing a patching pathway. On the same day, the Australian Cyber Security Centre listed one vulnerability as critical, though both flaws – one in the Ivanti Connect Secure gateway and the other in Ivanti Policy Secure gateway – are being taken advantage of.

The number of affected devices varies, but according to Rapid7, a Shodan scan for just the public-facing devices shows at least 7,000 machines, while scanning for the Ivanti welcome pages doubles that figure – while also reducing accuracy somewhat.

============
============

Regardless, it’s a significant figure. As to how threat actors are taking advantage of the flaws, Volexity has the goods.

“Volexity observed the attacker modifying legitimate ICS components and making changes to the system to evade the ICS Integrity Checker Tool,” the company’s researchers said in a blog post.

“Notably, Volexity observed the attacker backdooring a legitimate CGI file (compcheck.cgi) on the ICS VPN appliance to allow command execution. Further, the attacker also modified a JavaScript file used by the Web SSL VPN component of the device in order to keylog and exfiltrate credentials for users logging into it. The information and credentials collected by the attacker allowed them to pivot to a handful of systems internally, and ultimately gain unfettered access to systems on the network.”

The two vulnerabilities are:

  • CVE-2023-46805, which is an authentication bypass vulnerability in earlier versions of Ivanti Connect Secure and Ivanti Policy Secure. This flaw lets a remote attacker bypass control checks and access restricted resources,
  • CVE-2024-21887, which is a command injection vulnerability in Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. Taking advantage of this lets an authenticated administrator send requests and execute arbitrary commands on the device. This vulnerability can be exploited remotely via the internet.

“Rapid7 urges customers who use Ivanti Connect Secure or Policy Secure in their environments to take immediate steps to apply the workaround and look for indicators of compromise,” Rapid7 said in a blog post of its own.

Cyber Daily logo
VIEW ALL
David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.
CD Logo

OUR PLATFORMS AND BRANDS

EVENTS AND SUMMITS

PODCASTS

LEARNING AND EDUCATION

MOMENTUM MARKETS NETWORK

LINKS

STAY CONNECTED

Be the first to hear the latest developments in the cyber industry.

Copyright © 2007-2024 MOMENTUMMEDIA
Copyright & DisclaimersPrivacy PolicyTerms & Conditions
momentummedia media
most innovative companies awards

OUR PLATFORMS AND BRANDS

EVENTS AND SUMMITS

PODCASTS

LEARNING AND EDUCATION

MOMENTUM MARKETS NETWORK

LINKS

CATEGORIES

STAY CONNECTED

Copyright © 2024 MOMENTUMMEDIA