Hackers exploit Ivanti SSRF flaw to deploy new DSLog backdoor

Trending 3 weeks ago

Ivanti

Hackers are exploiting a server-side petition forgery (SSRF) vulnerability successful Ivanti Connect Secure, Policy Secure, and ZTA gateways to deploy nan caller DSLog backdoor connected susceptible devices.

The vulnerability, tracked arsenic CVE-2024-21893, was disclosed arsenic an actively exploited zero-day on January 31, 2024, pinch Ivanti sharing security updates and mitigation advice.

The flaw impacts nan SAML constituent of nan mentioned products and allows attackers to bypass authentication and entree restricted resources connected Ivanti gateways moving versions 9.x and 22.x.

The updates that hole nan problem are Ivanti Connect Secure versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1 and 22.5R2.2, Ivanti Policy Secure type 22.5R1.1, and ZTA type 22.6R1.3.

On February 5, 2024, threat monitoring work Shadowserver reported seeing multiple attackers attempting to leverage nan flaw, immoderate utilizing proof-of-concept (PoC) exploits antecedently published by Rapid7, pinch nan occurrence complaint being chartless astatine nan time.

A new report by Orange Cyberdefense confirms nan successful exploitation of CVE-2024-21893 to instal a caller backdoor named DSLog that allows nan threat actors to execute commands connected compromised Ivanti servers remotely.

Orange says they first spotted this caller backdoor connected February 3, 2024, aft analyzing a compromised appliance that had implemented nan Ivanti-proposed XML mitigation (blocking each API endpoints) but hadn't applied nan patch.

The DSLog backdoor

By examining nan compromised Invanti device's logs, Orange researchers recovered a backdoor had been injected into nan appliance's codification guidelines by issuing SAML authentication requests containing encoded commands.

These commands executed operations for illustration outputting strategy accusation to a publically accessible record (index2.txt), indicating that nan attackers aimed to execute soul reconnaissance and corroborate their guidelines access.

Subsequent SAML requests showed attempts to unafraid read/write filesystem permissions connected nan breached device, observe modifications to a morganatic logging book (DSLog.pm), and injecting nan backdoor if nan drawstring indicating nan modification is missing.

Backdoor injection into nan DSLog fileBackdoor injection into nan DSLog file (Orange)

The backdoor is inserted into nan DSLog file, responsible for logging various types of authenticated web requests and strategy logs.

The attackers employed a unsocial SHA256 hash per appliance arsenic an API key, requiring this hash successful nan HTTP User-Agent header for bid execution. Orange explains that nary hash tin beryllium utilized to interaction nan aforesaid backdoor connected different device.

The backdoor's main functionality is to execute commands arsenic root. Orange says nan DSLog backdoor tin tally "any commands" connected nan breached instrumentality received via HTTP requests by nan attackers, pinch nan bid included successful a query parameter named 'cdi.'

The HTTP requests transportation nan circumstantial SHA256 hash that matches nan contacted device, which doubles arsenic a cardinal to authenticate nan petition to nan backdoor.

The researchers statement that because nan webshell does not return status/code erstwhile attempting to interaction it, it is peculiarly stealthy.

Orange was besides incapable to find nan strategy utilized for nan SHA256 hash calculation and noted that '.access' logs were wiped connected aggregate compromised appliances to hide nan attackers' activities.

Despite that, nan researchers uncovered astir 700 compromised Ivanti servers by looking astatine different artifacts, specified arsenic nan 'index' matter files successful nan 'hxxp://{ip}/dana-na/imgs/' directory.

Timeline of Orange's discoveriesTimeline of DSLog's backdoor discovery (Orange)

Roughly 20% of these endpoints were already affected by earlier campaigns, while others were susceptible only owed to nan deficiency of further patches aliases mitigations.

It is recommended to travel the latest recommendations by Ivanti to mitigate each threats targeting nan vendor's products leveraging this SSRF aliases immoderate of nan different precocious disclosed vulnerabilities impacting Ivanti devices.