More mass exploits hit the same buggy Ivanti devices

Trending 3 weeks ago

All mode of miscreants are piling onto nan latest Ivanti flaw, a server-side petition forgery (SSRF) vulnerability tracked arsenic CVE-2024-21893, according to threat hunters search nan drawstring of CVEs that person been plaguing nan package shop's gateways complete caller weeks.

Ivanti first disclosed nan newest bug successful nan SAML constituent of of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x)  appliances connected January 31. The vendor spotted nan flaw arsenic it was investigating and scrambling to patch, 2 different zero-day bugs; an authentication bypass vulnerability (CVE-2023-46805) and a communal injection flaw (CVE-2024-21887), that were besides nether attack.

"At nan clip of publication, nan exploitation of CVE-2024-21893 appears to beryllium targeted. Ivanti expects nan threat character to alteration their behaviour and we expect a crisp summation successful exploitation erstwhile this accusation is nationalist — akin to what we observed connected 11 January pursuing nan 10 January disclosure," Ivanti warned past week.

It turned retired that CVE-2024-21893 could beryllium abused to bypass nan mitigation for earlier flaws.

"The SSRF tin beryllium chained to CVE-2024-21887 for unauthenticated bid injection pinch guidelines privileges," Rapid7 main information interrogator Stephen Fewer Xeeted connected February 2. 

The information shop besides published a proof-of-concept (PoC) exploit for CVE-2024-21893 that aforesaid day.

And unsurprisingly, ShadowServer reported reverse ammunition attempts and different exploits soon after. "To date, complete 170 attacking IPs involved," according to nan UK authorities information org, which noted that it did spot exploitation anterior to nan Rapid7 PoC.

As of coming you tin besides way CVE-2024-21893 exploitation connected our Dashboard astatine products exploitation attempts by CVE complete clip (now includes CVE-2024-21893, statement tag added 2024-02-03):

— Shadowserver (@Shadowserver) February 4, 2024

There's now connection yet connected who is down nan newest Ivanti exploits, but nan earlier flaws were utilized by Chinese nation-state attackers to instal backdoors connected astatine slightest 1,700 devices,it's claimed.

When asked astir February attacks, an Ivanti spokesperson directed The Register to its earlier information alert. As of February 1, nan vendor had issued a spot addressing each known vulnerabilities for Ivanti Connect Secure type 22.5R2.2 and Ivanti Policy Secure 22.5R1.1.

  • Ivanti releases patches for VPN zero-days, discloses 2 much high-severity vulns
  • Ivanti zero-day exploits detonate arsenic bevy of attackers get successful connected nan act
  • Congress told really Chinese goons scheme to incite 'societal chaos' successful nan US
  • US shorts China's Volt Typhoon unit targeting America's criticals

According to ShadowServer, exploits targeting CVE-2024-21893 are quickly outpacing nan different antecedently reported Ivanti CVEs, and it has since added nan flaw to its exploitation dashboard.

Also past week, nan US Cybersecurity and Infrastructure Security agency issued its second emergency directive astir nan flawed Ivanti systems, requiring national agencies moving Ivanti Connect Secure aliases Ivanti Policy Secure to disconnect these products from agency networks by February 2. ®