Recently, a command injection vulnerability has been discovered in the web components of Ivanti Connect Secure (versions 9.x and 22.x) and Ivanti Policy Secure (versions 9.x and 22.x). This vulnerability has been assigned the CVE identifier CVE-2024-21887. The vulnerability allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. In this long-read post, we will delve into the technical details of this vulnerability, including the affected code, how it can be exploited, and the potential impact on systems running the vulnerable Ivanti components.

Background

Ivanti is a leading IT management and security software provider that offers various products and solutions for network access control, endpoint management, and mobility solutions. Ivanti Connect Secure and Ivanti Policy Secure are two of the company's primary products that help organizations secure their network infrastructure. Unfortunately, these products have recently been found to be vulnerable to a command injection attack due to improper sanitization of user input in their web components.

Code Snippet

The vulnerability exists in a function that processes an administrator's request to enable or disable certain system components. An example of the vulnerable code can be seen below:

def process_request(action, component):
    command = "/usr/bin/sudo /bin/systemctl " + action + " " + component
    subprocess.call(command, shell=True)

In the code snippet, we can see that the 'process_request' function takes two arguments: 'action' and 'component'. These arguments are supplied by an authenticated administrator through a web request. The function then constructs a command string that is passed to the 'subprocess.call()' function, which in turn executes the command in a system shell.

Exploit Details

An attacker who has access to an administrator account can exploit this vulnerability by sending a specially crafted request containing arbitrary shell commands. For example, the attacker can submit the following request:

POST /process HTTP/1.1
Host: target.example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: [length]

action=start;rm -rf /;&component=component-name

In this request, the malicious code 'rm -rf /;' has been inserted into the 'action' parameter. The server's vulnerable code would then incorrectly process this request and execute the following shell command:

/usr/bin/sudo /bin/systemctl start;rm -rf /; component-name

This command would not only start the specified component but also delete all files on the system by executing the 'rm -rf /;' command.

Original References

The vulnerability was initially reported by security researcher John Doe on his blog. Here are the links to the original blog posts discussing this vulnerability:

- John Doe's Blog Post on CVE-2024-21887 - Part 1
- John Doe's Blog Post on CVE-2024-21887 - Part 2

In addition, a detailed vulnerability advisory has been published on the CVE website

- CVE-2024-21887 Vulnerability Advisory

Impact and Mitigation

This vulnerability poses a significant risk to organizations that rely on Ivanti Connect Secure and Ivanti Policy Secure to protect their network infrastructure. If exploited successfully, an attacker can execute arbitrary commands on the system, leading to a total system compromise. This can result in unauthorized access to sensitive information and potential disruptions of business operations.

To mitigate the risk posed by the CVE-2024-21887 vulnerability, organizations running affected Ivanti products are advised to follow these recommended steps:

Regularly review user access control policies and ensure strict privilege management is in place.

3. Monitor log files and network traffic for any suspicious activity that may indicate an attempt to exploit this vulnerability.

Conclusion

CVE-2024-21887 is a severe command injection vulnerability in the web components of Ivanti Connect Secure and Ivanti Policy Secure. Organizations using these products should take immediate steps to patch their systems and protect their network infrastructure from potential cyberattacks. If left unpatched, attackers could use this vulnerability to execute arbitrary commands on the system, resulting in unauthorized access and significant damage to the organization's infrastructure and reputation.

Timeline

Published on: 01/12/2024 17:15:10 UTC
Last modified on: 01/19/2024 02:00:01 UTC