External risk intelligence

Ivanti Connect Secure SAML Component Vulnerability Allows Unauthorized Access.

CVE advisoryKnown Exploit

CVE-2024-21893

A server-side request forgery vulnerability in Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA allows unauthorized access to restricted resources. This impacts organizations by potentially compromising data confidentiality and integrity. The business risk involves unauthorized access to sensitiv

5Halo Surface Signal

Server-Side Request Forgery

Ivanti Connect Secure

9.09.121.921.1222.1

External exposure likelihood

Halo Surface Signal score for CVE-2024-21893

Ivanti Connect Secure and Policy Secure are enterprise VPN and network gateway appliances. These products are designed to be public-facing to facilitate remote access for employees and are routinely deployed at the network edge, making them highly visible and accessible to the public internet by design.

Horizon Alert

Summary of the vulnerability and why it matters

A server-side request forgery vulnerability has been identified in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA. This flaw allows an attacker to access restricted resources that would typically require authentication. The vulnerability is present in various versions of the affected Ivanti products. Exploitation of this issue can lead to unauthorized access to sensitive information and potentially impact the confidentiality and integrity of data within an organization.

Vulnerable Ivanti products: Connect Secure, Policy Secure, Neurons for ZTA.
Core weakness: Server-side request forgery in SAML component.
Main business impact: Unauthorized access to restricted resources.

Attack Path

How an attacker could exploit the issue

A server-side request forgery vulnerability exists in the SAML component of Ivanti Connect Secure and Ivanti Policy Secure products. This vulnerability allows an attacker to bypass authentication and access restricted resources. The attack targets systems that are externally exposed, enabling an attacker to initiate requests to internal resources.

External network exposure required.
Attacker accesses SAML component.
Attacker triggers request, gains access.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows unauthorized access to restricted resources, posing a significant risk to organizational data and systems. The exploitation is facilitated through a server-side request forgery in the SAML component, potentially impacting Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for Zero Trust Access. Organizations using these products should consider this a high-priority issue.

Attacker skill level: Low
Required access or conditions: None
Business risk or urgency: High

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

A server-side request forgery vulnerability has been identified in Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA. This vulnerability could allow an unauthorized attacker to access restricted resources. Addressing this requires a focused approach to identify and secure affected systems.

Find all Ivanti appliances.
Isolate affected systems or reduce exposure.
Apply vendor fixes and validate.
Monitor for related activity.

Frequently asked questions

What are Ivanti Connect Secure and Policy Secure used for?

Ivanti Connect Secure and Ivanti Policy Secure are network gateway appliances that provide secure remote access for users to an organization's internal resources. They function as a crucial part of network infrastructure, enabling employees to connect to company systems from outside the corporate network.

How does CVE-2024-21893's server-side request forgery weakness work?

CVE-2024-21893 is a server-side request forgery (SSRF) vulnerability, categorized as CWE-918. This weakness allows an attacker to trick the server into making unintended requests to internal or external resources. In this case, it lets an attacker access restricted information without proper authentication by manipulating the SAML component.

What conditions are needed for an attacker to exploit this Ivanti vulnerability?

Exploiting CVE-2024-21893 does not require an attacker to have any special access or credentials. The vulnerability is triggered through the SAML component of the affected Ivanti products. Notably, the attack targets systems that are externally exposed, meaning they are accessible from the internet.

Who should be concerned about the Ivanti Connect Secure SSRF vulnerability?

Organizations using Ivanti Connect Secure or Ivanti Policy Secure should be concerned, especially if these products are internet-facing. The Halo Surface Signal indicates a 'Very likely' exposure because these are typically public-facing remote access solutions deployed at the network edge, making them accessible to external threats.

What is the first step to address this Ivanti security issue?

The immediate first step for organizations running affected Ivanti products is to identify all instances of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA within their environment. After identification, steps should be taken to reduce their exposure or isolate them, followed by applying vendor-provided fixes.

References

Cyber Threat Intelligence (CTI)

Sources: threatActor

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.