External risk intelligence

Ivanti Connect Secure Authentication Bypass Affecting Web Component

CVE advisoryKnown Exploit

CVE-2023-46805

An authentication bypass vulnerability affects Ivanti Connect Secure and Policy Secure components, allowing unauthorized access to restricted resources. This poses a business risk as it can enable attackers to gain access to sensitive systems and data. The vulnerability has been observed in active exploitation campaign

5Halo Surface Signal

Authentication Bypass

Ivanti Connect Secure

9.09.122.122.222.322.422.522.6

External exposure likelihood

Halo Surface Signal score for CVE-2023-46805

This vulnerability affects Ivanti Connect Secure and Policy Secure, which are internet-facing network appliances typically deployed as VPN gateways or remote access portals. By design, these products serve as the entry point to a network and are intended to be accessible from the public internet.

Horizon Alert

Summary of the vulnerability and why it matters

The web component of Ivanti Connect Secure and Ivanti Policy Secure is vulnerable. This flaw allows unauthorized access to restricted resources by bypassing control checks. Successful exploitation could enable attackers to gain administrative access, potentially leading to data exfiltration, ransomware deployment, or espionage within an organization's network.

Vulnerable: Ivanti web component
Flaw: Authentication bypass
Impact: Restricted resource access

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can bypass access controls on Ivanti Connect Secure and Ivanti Policy Secure. This allows an attacker to access restricted resources and potentially gain further access to the organization's systems. The attack leverages the web component's failure to properly validate user authentication. This could lead to unauthorized access to sensitive data or systems, impacting business operations and data integrity.

Publicly accessible web component.
Attacker bypasses authentication checks.
Access restricted resources.

Live Threat

Current exploitation, exposure, and threat context

An authentication bypass vulnerability exists in the web component of Ivanti Connect Secure and Ivanti Policy Secure. This allows a remote attacker to access restricted resources by bypassing control checks. When combined with a command injection vulnerability, an unauthenticated attacker can execute arbitrary commands on the system. This exploit chain has been actively used in the wild by various threat actors.

Likely advanced attacker skill level.
No authentication required.
Significant business risk.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

An authentication bypass vulnerability exists in Ivanti Connect Secure and Ivanti Policy Secure components. This allows remote attackers to access restricted resources by bypassing control checks. The vulnerability has been observed in active exploitation campaigns and is listed as a known exploited vulnerability.

Identify exposed Ivanti appliances.
Reduce exposure or isolate affected systems.
Apply vendor fixes, verify, and monitor.

Frequently asked questions

What are Ivanti Connect Secure and Ivanti Policy Secure used for?

Ivanti Connect Secure and Ivanti Policy Secure are network appliances often used as VPN gateways or remote access portals. They act as an entry point for users to access an organization's network resources from outside the network.

What kind of weakness does CVE-2023-46805 describe?

CVE-2023-46805 describes an authentication bypass vulnerability. This type of weakness, categorized as CWE-287, means the software fails to correctly verify a user's identity, allowing unauthorized access to resources.

How can an attacker exploit this CVE-2023-46805 vulnerability?

An attacker can exploit this vulnerability by sending specially crafted requests to the web component of the affected Ivanti software. This bypasses the normal control checks that are supposed to verify user authentication, granting access to restricted areas without proper credentials.

Who should be concerned about this external-facing vulnerability?

Organizations using Ivanti Connect Secure or Ivanti Policy Secure that are accessible from the internet should be concerned. Because these products often serve as external entry points to a network, they present a significant target for attackers.

What is the first step for managing this threat?

If you are running Ivanti Connect Secure or Ivanti Policy Secure, the first step is to identify any instances of these appliances that are exposed to the internet. Reducing their exposure or isolating them from the network are immediate protective measures before applying vendor-provided fixes.

References

Cyber Threat Intelligence (CTI)

Sources: malpedia, threatActor, tool

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.