In addition to the continued exploitation of CVE-2024-21893, a server-side request forgery (SSRF) vulnerability in unpatched Ivanti Connect Secure and Policy Secure gateways, threat actors are now exploiting the same vulnerability in Ivanti’s ZTA gateways to deploy a new backdoor called ‘DSLog’. DSLog’s main purpose is to execute commands via HTTP requests sent by the threat actor. It uses a unique SHA256 hash as an API key which must be included in the command execution request’s HTTP User-Agent header. Using this method ensures that no hash can be used to communicate with another DSLog backdoor on another device.
Out of approximately 22,500 Ivanti gateways deployed worldwide, security researchers believe nearly 700 are compromised due to the observation of other artifacts associated with DSLog, such as the presence of 'index' text files in the certain directories. It’s believed that multiple threat actors are targeting the vulnerable unpatched devices some using previously published proof-of-concept exploit code.
CVE-2024-21893 impacts the security assertion markup language (SAML) component on Ivanti gateways running versions 9.x and 22.x and allows threat actors to bypass authentication and access restricted resources. Ivanti released patches to address the flaw in Connect Secure versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1 and 22.5R2.2, Ivanti Policy Secure version 22.5R1.1, and ZTA version 22.6R1.3.
Source: Bleeping Computer
Analysis
Given their interest in compromising edge devices and gateways, it’s not surprising multiple threat actors have continued to target vulnerable Ivanti gateways. Additionally, the delayed development and release of effective mitigations and patches, coupled with the public release of exploit code, has no doubt been a contributing factor to the flaw’s popularity.
Until Ivanti gets ahead of these issues, it’s likely that threat actors will find more vulnerabilities in these gateways as they continue to look for ways to maximize the efficiency, persistence, and impact of their current exploits.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in appliances like Ivanti gateways. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities. Covalence users are automatically notified when vulnerabilities are detected in their environment and are encouraged to review these AROs as quickly as possible via the Covalence portal.
Field Effect strongly encourages users of Ivanti Connect Secure and Policy Secure gateways to update affected versions with the latest security patch as soon as possible. Additionally, users of legacy Pulse Secure and MobileIron appliances, both vendors purchased by Ivanti in 2020, should update to the latest secure version of the equivalent Ivanti appliance so that critical warnings and updates aren’t mistakenly ignored.
Citing the active exploitation of multiple critical zero-day vulnerabilities, lack of effective mitigations, and lack of security updates for some of the impacted product versions, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) took the unusual step of ordering federal agencies to disconnect all Ivanti Connect Secure and Policy Secure VPN appliances. Organizations that wish to maintain a high level of cyber security and have access to other options to perform the tasks normally performed by Ivanti gateways, may also wish to heed CISA’s directive.
Related articles
