Ivanti Secure VPN, a widely used VPN solution, has recently been found to have two zero-day vulnerabilities. These vulnerabilities are currently being exploited by a Chinese threat actor known as UTA0178. By exploiting these vulnerabilities, attackers can remotely execute code without any authentication, potentially compromising affected systems.
Ivanti has published an official security advisory and knowledge base article detailing the zero-day vulnerabilities. The vulnerabilities, named CVE-2023-46805 and CVE-2024-21887, affect all supported versions of Ivanti Connect Secure (previously known as Pulse Connect Secure) and Ivanti Policy Secure Gateways.
CVE-2023-46805 is an authentication bypass vulnerability in the web component of Ivanti Connect Secure and Ivanti Policy Secure. It allows attackers to bypass control checks and access restricted resources.
CVE-2024-21887 is a command injection vulnerability in the web components of Ivanti Connect Secure and Ivanti Policy Secure. Authenticated administrators can send specially crafted requests to execute arbitrary commands on the appliance, posing a risk of exploitation via the internet.
When combined, these two vulnerabilities enable attackers to run commands on affected appliances.
According to Patrice Auffret, the founder, CEO, and CTO of ONYPHE, a cyber defense search engine, there are approximately 29,664 Ivanti Secure VPN appliances connected to the internet. Of those exposed systems, over 40% are in the United States, followed by Japan (14.3%) and Germany (8.48%).
The vulnerabilities were discovered by U.S.-based cybersecurity company Volexity during an incident response investigation. The investigation revealed that the threat actor, UTA0178, had modified files on the Ivanti Connect Secure VPN appliance. Files such as “/tmp/rev,” “/tmp/s.py,” “/tmp/s.jar,” “/tmp/b,” and “/tmp/kill” were found. Additionally, a Python-based proxy utility known as PySoxy was discovered, believed to be the file “s.py.”
UTA0178 deployed webshells and modified files to steal credentials and access systems throughout the network. They collected newly harvested credentials, dumped a full image of the Active Directory database, and modified the JavaScript on the VPN appliance’s web login page to capture credentials. The stolen credentials were sent to an attacker-controlled domain.
The threat actor also deployed a custom webshell called GLASSTOKEN. There are two versions of GLASSTOKEN, with the first version allowing connection relaying and executing PowerShell commands. The second version only permits code execution.
To detect potential threats, network traffic analysis, VPN device log analysis, and the use of an integrity checker tool are recommended. Ivanti also provides a mitigation method until a full patch is available.
It is important for organizations using Ivanti Secure VPN to follow Ivanti’s instructions and take appropriate measures to protect their systems.
