Ivanti Critical Vulnerabilities

Details
Content
Dependencies
Version History

This pack handles CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893 - Ivanti critical vulnerabilities

Ivanti Critical Vulnerabilities

Ivanti has recently disclosed four critical vulnerabilities in their VPN devices, identified as CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893, with active exploitation reported. These security flaws impact all supported versions of Ivanti Connect Secure and Ivanti Policy Secure gateways, including versions 9.x and 22.x, and Ivanti Neurons for ZTA.

This pack will provide you with a first response kit which includes:

Threat Hunting
IoC Collection and Remediation
Mitigation Measures

References:

Unit42 Threat Brief: Multiple Ivanti Vulnerabilities

CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways

Ivanti Critical Vulnerabilities

This pack will provide you with a first response kit which includes:

Threat Hunting
IoC Collection and Remediation
Mitigation Measures

References:

Unit42 Threat Brief: Multiple Ivanti Vulnerabilities

CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways

Playbooks

Name	Description
Ivanti Critical Vulnerabilities	Ivanti has recently disclosed four critical vulnerabilities in their VPN devices, identified as CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893, with active exploitation reported. These security flaws impact all supported versions of Ivanti Connect Secure and Ivanti Policy Secure gateways, including versions 9.x and 22.x, and Ivanti Neurons for ZTA. Disclosed Vulnerabilities CVE-2023-46805, a high-severity vulnerability, allows attackers to bypass authentication checks in the web component, granting access to restricted resources without credentials. CVE-2024-21887, of critical severity, enables command injection through specially crafted requests by authenticated administrators, leading to arbitrary command execution. CVE-2024-21888, another critical vulnerability, permits privilege escalation within the web component, enabling users to gain administrative rights. CVE-2024-21893 exposes a server-side request forgery (SSRF) vulnerability within the SAML component, allowing unauthorized access to specific restricted resources. The combination of these vulnerabilities, particularly CVE-2023-46805 and CVE-2024-21887, facilitates attackers to execute commands on the compromised system sans authentication, posing a significant security risk. Organizations utilizing affected Ivanti products are urged to apply mitigations and patches to safeguard their systems against potential exploits. This playbook should be triggered manually or can be configured as a job. IoCs Collection Unit42 IoCs download Hunting PANW Hunting: Panorama Threat IDs hunting Cortex Xpanse issues hunting Indicators hunting Endpoints by CVE hunting Mitigations Ivanti recommended workaround and patch. References Unit42 Threat Brief: Multiple Ivanti Vulnerabilities CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

Name

Description

Ivanti Critical Vulnerabilities

Disclosed Vulnerabilities

CVE-2023-46805, a high-severity vulnerability, allows attackers to bypass authentication checks in the web component, granting access to restricted resources without credentials.
CVE-2024-21887, of critical severity, enables command injection through specially crafted requests by authenticated administrators, leading to arbitrary command execution.
CVE-2024-21888, another critical vulnerability, permits privilege escalation within the web component, enabling users to gain administrative rights.
CVE-2024-21893 exposes a server-side request forgery (SSRF) vulnerability within the SAML component, allowing unauthorized access to specific restricted resources.

The combination of these vulnerabilities, particularly CVE-2023-46805 and CVE-2024-21887, facilitates attackers to execute commands on the compromised system sans authentication, posing a significant security risk. Organizations utilizing affected Ivanti products are urged to apply mitigations and patches to safeguard their systems against potential exploits.

This playbook should be triggered manually or can be configured as a job.

IoCs Collection

Unit42 IoCs download

Hunting

PANW Hunting:
- Panorama Threat IDs hunting
- Cortex Xpanse issues hunting
Indicators hunting
Endpoints by CVE hunting

Mitigations

Ivanti recommended workaround and patch.

References

Unit42 Threat Brief: Multiple Ivanti Vulnerabilities

CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways

Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

Playbooks

Name	Description
Ivanti Critical Vulnerabilities	Ivanti has recently disclosed four critical vulnerabilities in their VPN devices, identified as CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893, with active exploitation reported. These security flaws impact all supported versions of Ivanti Connect Secure and Ivanti Policy Secure gateways, including versions 9.x and 22.x, and Ivanti Neurons for ZTA. Disclosed Vulnerabilities CVE-2023-46805, a high-severity vulnerability, allows attackers to bypass authentication checks in the web component, granting access to restricted resources without credentials. CVE-2024-21887, of critical severity, enables command injection through specially crafted requests by authenticated administrators, leading to arbitrary command execution. CVE-2024-21888, another critical vulnerability, permits privilege escalation within the web component, enabling users to gain administrative rights. CVE-2024-21893 exposes a server-side request forgery (SSRF) vulnerability within the SAML component, allowing unauthorized access to specific restricted resources. The combination of these vulnerabilities, particularly CVE-2023-46805 and CVE-2024-21887, facilitates attackers to execute commands on the compromised system sans authentication, posing a significant security risk. Organizations utilizing affected Ivanti products are urged to apply mitigations and patches to safeguard their systems against potential exploits. This playbook should be triggered manually or can be configured as a job. IoCs Collection Unit42 IoCs download Hunting PANW Hunting: Panorama Threat IDs hunting Cortex Xpanse issues hunting Indicators hunting Endpoints by CVE hunting Mitigations Ivanti recommended workaround and patch. References Unit42 Threat Brief: Multiple Ivanti Vulnerabilities CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

Name

Description

Ivanti Critical Vulnerabilities

Disclosed Vulnerabilities

CVE-2023-46805, a high-severity vulnerability, allows attackers to bypass authentication checks in the web component, granting access to restricted resources without credentials.
CVE-2024-21887, of critical severity, enables command injection through specially crafted requests by authenticated administrators, leading to arbitrary command execution.
CVE-2024-21888, another critical vulnerability, permits privilege escalation within the web component, enabling users to gain administrative rights.
CVE-2024-21893 exposes a server-side request forgery (SSRF) vulnerability within the SAML component, allowing unauthorized access to specific restricted resources.

This playbook should be triggered manually or can be configured as a job.

IoCs Collection

Unit42 IoCs download

Hunting

PANW Hunting:
- Panorama Threat IDs hunting
- Cortex Xpanse issues hunting
Indicators hunting
Endpoints by CVE hunting

Mitigations

Ivanti recommended workaround and patch.

References

Unit42 Threat Brief: Multiple Ivanti Vulnerabilities

CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways

Required Content Packs (4)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Rapid Breach Response	By: Cortex XSOAR

Optional Content Packs (2)

Pack Name	Pack By
Cortex Xpanse by Palo Alto Networks	By: Cortex XSOAR
PAN-OS by Palo Alto Networks	By: Cortex XSOAR

All level dependencies (16)

Pack Name	Pack By
Splunk	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Asset	By: Cortex XSOAR
Rapid Breach Response	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
Identity	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Ransomware	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Cryptocurrency	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Access Investigation	By: Cortex XSOAR
Base	By: Cortex XSOAR
IBM QRadar	By: Cortex XSOAR

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	February 7, 2024
Last Release	February 7, 2024

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.