Help
FortiNDRCloud
SaaS based NDR solution providing 365 days data retention, along with Technical Success Manager
kcheung
Staff
Staff

Created on ‎03-12-2024 10:34 PM Edited on ‎03-14-2024 05:56 PM

Article Id 303187

FortiGuard Outbreak Alert: Ivanti Connect Secure and Policy Secure Attack

Description

Ivanti has announced several zero-day vulnerabilities that were being actively exploited.

 

CVE-2023-46805 is an authentication bypass in the web component of Ivanti Connect Secure (ICS) and Ivanti Policy Secure. This allows attackers to access restricted resources without authentication.

 

CVE-2024-21887 is a command injection in the web component of Ivanti Connect Secure (ICS) and Ivanti Policy Secure. With the combination of CVE-2023-46805, this allows attackers to execute their payloads on the Ivanti product.

 

CVE-2024-21893 is server-side request forgery in the SAML component in ICS, Ivanti Policy Secure, and Ivanti Neurons for ZTA. This allows attackers to access restricted resources without authentication.
CVE ID

CVE-2023-46805 (https://nvd.nist.gov/vuln/detail/CVE-2023-46805)

CVE-2024-21887 (https://nvd.nist.gov/vuln/detail/CVE-2024-21887)

CVE-2024-21893 (https://nvd.nist.gov/vuln/detail/CVE-2024-21893)
NDR Cloud Detection Rule

FortiNDR Cloud v2024.3+

Detection Rule Name

Category

Primary MITRE ID

Fortinet Outbreak Alert:
Ivanti Connect Secure VPN Exploitation Authentication Bypass CVE-2023-46805

Attack: Exploitation

T1190 -  Exploit Public-Facing Application

Fortinet Outbreak Alert:
Ivanti Connect Secure VPN Exploitation Command Injection CVE-2024-21887

Attack: Exploitation

T1190 -  Exploit Public-Facing Application

Fortinet Outbreak Alert:
Ivanti Connect Secure VPN Exploitation Server-Side Request Forgery (SSRF) CVE-2024-21893

Attack: Exploitation

T1190 -  Exploit Public-Facing Application

Playbook 

 N/A

Threat hunting

FortiNDR Cloud users can use the following IOCs from Fortinet to hunt for “Ivanti Connect Secure and Policy Secure Attack” related activities
IOC source: https://www.fortiguard.com/outbreak-ioc?tag=Ivanti%20Authentication%20Bypass
Suricata Coverage

Customers can create custom investigation/detections using the Suricata signatures below
2050095 -> ET WEB_SPECIFIC_APPS Ivanti Pulse Secure Authentication Bypass and Command Injection Attempt (CVE-2023-46805, CVE-2024-21887) M1

2050096 -> ET WEB_SPECIFIC_APPS Ivanti Pulse Secure Authentication Bypass and Command Injection Attempt (CVE-2023-46805, CVE-2024-21887) M2

2050131 -> ET WEB_SPECIFIC_APPS Possible Ivanti Pulse Secure Authentication Bypass and Command Injection Attempt (CVE-2023-46805, CVE-2024-21887) M1

2050280 -> ET WEB_SPECIFIC_APPS Possible Ivanti Pulse Secure Authentication Bypass and Command Injection Attempt M2 (CVE-2023-46805, CVE-2024-21887)

2050700 -> ET EXPLOIT Ivanti Connect Secure (9.x,22.x) / Ivanti Policy Secure (9.x,22.x) / Ivanti Neurons for ZTA Command Injection via SSRF (CVE-2024-21887)

2050699 -> ET EXPLOIT Ivanti Connect Secure (9.x,22.x) / Ivanti Policy Secure (9.x,22.x) / Ivanti Neurons for ZTA SSRF Pattern (CVE-2024-21893)

Other Fortinet Products

For more details regarding mitigating the vulnerability by utilizing Fortinet products, please refer to
https://www.fortiguard.com/outbreak-alert/ivanti-authentication-bypass
753
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.