CVE-2024-0204: Authentication Bypass Vulnerability in Fortra GoAnywhere MFT
by George Glass
Note: These vulnerabilities remain under active exploitation, and Kroll experts are investigating. If further details are uncovered by our team, updates will be made to the Kroll Cyber Risk blog.
Two zero-day vulnerabilities have been discovered in Ivanti Connect Secure (ICS), formerly known as Pulse Connect Secure and Ivanti Policy Secure gateways. Tracked as CVE-2024-21887 and CVE-2023-46805, these vulnerabilities have CVSS scores of 9.1 and 8.2 respectively and are actively being exploited in the wild. All supported versions, including versions 9.x and 22.x, are impacted.
Within its advisory, Ivanti states that if both vulnerabilities are leveraged in conjunction with each other, exploitation would not require authentication and could enable the execution of arbitrary commands.
CVE-2024-21887 is a command injection vulnerability in the web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. It could allow an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
CVE-2023-46805 is an authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure. It could allow a remote attacker to access restricted resources by bypassing control checks.
Ivanti recommends that affected customers “immediately take action to ensure you are fully protected.”
On January 10, 2024, Volexity reported an active exploitation of these vulnerabilities, which allowed for unauthenticated remote code execution against vulnerable devices. The two vulnerabilities were combined to create an attack chain that was then leveraged by the threat actor to steal configuration data, modify files, download remote files and create a reverse tunnel from the device. These findings further increase the urgency for carrying out the recommendations listed below.
If a vulnerable device is identified within your environment, it is recommended to conduct threat hunting against known activity surrounding the exploitation of this attack chain. The following have been noted as actions that can be carried out to detect potential suspicious activity surrounding this threat:
Note: Ivanti released an additional security advisory following an investigation into vulnerabilities reported on January 10, 2024. Two vulnerabilities have been identified in Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA. The vulnerabilities identified are being tracked as CVE-2024-21888, which carries a CVSS Score of 8.8, and CVE-2024-21893, which carries a CVSS score of 8.2.
CVE-2024-21888 is a privilege escalation vulnerability that has been discovered in the web component of Ivanti Connect Secure and Ivanti Policy Secure. This vulnerability impacts versions 9.x and versions 22.x. Exploiting this vulnerability successfully enables a user to elevate their privileges to those of an administrator.
A server-side request forgery vulnerability, denoted as CVE-2024-21893, has been uncovered in the SAML component of Ivanti Connect Secure and Ivanti Policy Secure. This vulnerability impacts versions 9.x and 22.x. The vulnerability has been identified in Ivanti Neurons for ZTA. Exploiting this vulnerability successfully allows an attacker to access certain restricted resources without authentication.
In their advisory, Ivanti further mentions that CVE-2024-21893 has been exploited in the wild and appears to have been targeted by threat actors. Ivanti expects the threat actors will "change their behavior” and that there will be “a sharp increase in exploitation once this information is public."
For those unable to install patches immediately, Ivanti released a workaround to mitigate the vulnerability until patches can be installed. The vulnerability can be mitigated by importing the"mitigation.release.20240126.5.xml" file via the Ivanti download portal.
Ivanti further states that customers should stop pushing configurations to appliances with the XML in place, and not resume pushing configurations until the appliance is patched. They also recommend installing patches, with patches being made available for Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1) and ZTA version 22.6R1.3. Additionally, run Ivanti’s external integrity checker (ICT) to check if you have been compromised.
When the configuration is pushed to the appliance, it stops some key web services from functioning and stops the mitigation from functioning. This only applies to customers who push configurations to appliances, including configuration pushes through Pulse One or nSA. This can occur regardless of a full or partial configuration push.
Below are some key recommendations from Kroll’s CTI team:
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Threat intelligence are fueled by frontline incident response intel and elite analysts to effectively hunt and respond to threats.
Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Kroll’s elite security leaders deliver rapid responses for over 3,000 incidents per year and have the resources and expertise to support the entire incident lifecycle.
World-renowned cyber investigators and leading technology fuel Kroll’s managed security services, augmenting security operations centres and incident response capabilities.
In the event of a security incident, Kroll’s digital forensics investigators can expertly help investigate and preserve data to help provide evidence and ensure business continuity.
by George Glass
by George Glass
by George Glass, Ryan Hicks