FortiDAST performs automated black-box dynamic application security testing of web applications to identify vulnerabilities that bad actors may exploit.
This outbreak alert on Ivanti Connect Secure and Ivanti Policy Secure covers two vulnerability that is CVE-2024-21893 and CVE-2024-22024.
CVE-2024-21893 is a high-severity server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA. It allows an attacker to access certain restricted resources without authentication.
CVE-2024-22024 is a high-severity XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.
This article describes the assessment of SSRF and XXE vulnerability in Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA software.
Scope
FortiDAST Scripting Engine updated in version 24.3.0-build0014(GA)
Solution
Detection against that vulnerability is empowered by the FortiDAST Scripting Engine (FSE).
This technology enables FortiDAST to assess remotely with a high level of confidence if an asset is vulnerable to a specific vulnerability by testing the disarmed exploit against the asset itself.
To configure the scan, it will be necessary to enable the FSE group signature 'ivanti' which will select the underlying scripts as per the scan requirement: 'CVE-2024-21893 Ivanti SSRF Vulnerability' and 'CVE-2024-22024 Ivanti XXE Vulnerability.'
For reference, a step-by-step guide on how to configure FortiDAST to trigger FSE can be found on Fortinet’s blog:
