Security Affairs
Dutch Nationals Suspected in Odido Hack That Exposed Six Million Customers|Australia Alerts Organizations to Ongoing CMS Exploitation Attacks|Ryuk Ransomware Member Pleads Guilty Over Attacks on U.S. Organizations|Progress Told ShareFile Customers to Pull the Plug on Their Servers. Here’s What We Know.|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 105|Security Affairs newsletter Round 585 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. CISA adds iCagenda and Balbooa Forms flaws to its Known Exploited Vulnerabilities catalog|Critical U-Boot Bugs Undermine Secure Boot on Millions of Devices|Update Now: Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes|Ransomware Never Stopped: Over 9,000 Confirmed Attacks Since 2018|222 GitHub Repositories Linked to Fake Go Package Malware Operation|Former Ransomware Negotiator Sentenced to 70 Months in Prison for Secretly Helping BlackCat Gang|Dutch Nationals Suspected in Odido Hack That Exposed Six Million Customers|Australia Alerts Organizations to Ongoing CMS Exploitation Attacks|Ryuk Ransomware Member Pleads Guilty Over Attacks on U.S. Organizations|Progress Told ShareFile Customers to Pull the Plug on Their Servers. Here’s What We Know.|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 105|Security Affairs newsletter Round 585 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. CISA adds iCagenda and Balbooa Forms flaws to its Known Exploited Vulnerabilities catalog|Critical U-Boot Bugs Undermine Secure Boot on Millions of Devices|Update Now: Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes|Ransomware Never Stopped: Over 9,000 Confirmed Attacks Since 2018|222 GitHub Repositories Linked to Fake Go Package Malware Operation|Former Ransomware Negotiator Sentenced to 70 Months in Prison for Secretly Helping BlackCat Gang|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Two zero-day bugs in Ivanti Connect Secure actively exploited

Ivanti revealed that two threat actors are exploiting two zero-day vulnerabilities in its Connect Secure (ICS) and Policy Secure. Software firm Ivanti reported that threat actors are exploiting two zero-day vulnerabilities (CVE-2023-46805, CVE-2024-21887) in Connect Secure (ICS) and Policy Secure to remotely execute arbitrary commands on targeted gateways. The flaw CVE-2023-46805 (CVSS score 8.2) is […]

ivanti Endpoint Manager

Ivanti revealed that two threat actors are exploiting two zero-day vulnerabilities in its Connect Secure (ICS) and Policy Secure.

Software firm Ivanti reported that threat actors are exploiting two zero-day vulnerabilities (CVE-2023-46805, CVE-2024-21887) in Connect Secure (ICS) and Policy Secure to remotely execute arbitrary commands on targeted gateways.

The flaw CVE-2023-46805 (CVSS score 8.2) is an Authentication Bypass issue that resides in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure. A remote attacker can trigger the vulnerability to access restricted resources by bypassing control checks.

The second flaw, tracked as CVE-2024-21887 (CVSS score 9.1) is a command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. An authenticated administrator can exploit the issue by sending specially crafted requests and execute arbitrary commands on the appliance.

An attacker can chain the two flaws to send specially crafted requests to unpatched systems and execute arbitrary commands. 

“If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system.” reads the advisory published by Ivanti.

The company is providing mitigation and confirmed it is working on the development of a security patch.

The final patches will be available by 19 February.

“Upon learning of the vulnerability, we immediately mobilized resources and mitigation is available now. Patches will be released in a staggered schedule with the first version targeted to be available to customers the week of 22 January and the final version targeted to be available the week of 19 February.” continues the advisory.

According to KB Article, customers can mitigate CVE-2023-46805 and CVE-2024-21887 by importing mitigation.release.20240107.1.xml file via the download portal.

Volexity researchers observed threat actors actively exploiting the two zero-days in the wild. In December 2023, Volexity investigated an attack where an attacker was placing webshells on multiple internal and external-facing web servers.

“Upon closer inspection, Volexity found that an attacker was placing webshells on multiple internal and external-facing web servers.” reads the analysis published by Volexity.” reads the analysis published by Volexity. “Most notably, Volexity analyzed one of the collected memory samples and uncovered the exploit chain used by the attacker. Volexity discovered two different zero-day exploits which were being chained together to achieve unauthenticated remote code execution (RCE). Through forensic analysis of the memory sample, Volexity was able to recreate two proof-of-concept exploits that allowed full unauthenticated command execution on the ICS VPN appliance. These two vulnerabilities have been assigned the following CVEs:

  • CVE-2023-46805 – an authentication-bypass vulnerability with a CVSS score of 8.2
  • CVE-2024-21887 – a command-injection vulnerability found into multiple web components with a CVSS score of 9.1″

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Connect Secure)