Ivanti Critical Vulnerabilities

Ivanti has recently disclosed four critical vulnerabilities in their VPN devices, identified as CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893, with active exploitation reported. These security flaws impact all supported versions of Ivanti Connect Secure and Ivanti Policy Secure gateways, including versions 9.x and 22.x, and Ivanti Neurons for ZTA. #### Disclosed Vulnerabilities * CVE-2023-46805, a high-severity vulnerability, allows attackers to bypass authentication checks in the web component, granting access to restricted resources without credentials. * CVE-2024-21887, of critical severity, enables command injection through specially crafted requests by authenticated administrators, leading to arbitrary command execution. * CVE-2024-21888, another critical vulnerability, permits privilege escalation within the web component, enabling users to gain administrative rights. * CVE-2024-21893 exposes a server-side request forgery (SSRF) vulnerability within the SAML component, allowing unauthorized access to specific restricted resources. The combination of these vulnerabilities, particularly CVE-2023-46805 and CVE-2024-21887, facilitates attackers to execute commands on the compromised system sans authentication, posing a significant security risk. Organizations utilizing affected Ivanti products are urged to apply mitigations and patches to safeguard their systems against potential exploits. **This playbook should be triggered manually or can be configured as a job.** **IoCs Collection** - Unit42 IoCs download **Hunting** - PANW Hunting: - Panorama Threat IDs hunting - Cortex Xpanse issues hunting - Indicators hunting - Endpoints by CVE hunting **Mitigations** Ivanti recommended workaround and patch. **References** [Unit42 Threat Brief: Multiple Ivanti Vulnerabilities](https://unit42.paloaltonetworks.com/threat-brief-ivanti-cve-2023-46805-cve-2024-21887/#ivanti-2024-addit-resources) [CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways](https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US) Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

Ivanti Critical Vulnerabilities · 31 tasks · 6 inputs · 0 outputs

Inputs

  • PlaybookDescription — The playbook description to be used in the Rapid Breach Response - Set Incident Info sub-playbook.
  • autoBlockIndicators — Wether to block the indicators automatically.
  • QRadarTimeRange — QRadar hunting time range.
  • SplunkEarliestTime — Splunk hunting earliest time.
  • ShouldPauseForMitigation — Whether to wait for the analyst's response for the mitigation phase or let the playbook continue with the automated flow.
  • ShouldCloseAutomatically — Whether to close the investigation automatically.

Commands used

closeInvestigation createNewIndicator expanse-get-issues extractIndicators

Flowchart

yes yes yes Start Start Extract and Enrich Indicators Extract and Enrich Indica... Collect IoCs from Unit42 - ParseHTMLIndicators Collect IoCs from Unit42 ParseHTMLIndicators Tag Indicators Tag Indicators Set Rapid Breach Response Layout Set Rapid Breach Response... Rapid Breach Response - Set Incident Info - Rapid Breach Response - Set Incident Info Rapid Breach Response - S... Rapid Breach Response - Set I... Tag Domain Indicators - createNewIndicator Tag Domain Indicators createNewIndicator Threat Hunting Threat Hunting Indicators Hunting Indicators Hunting Threat Hunting - Generic - Threat Hunting - Generic Threat Hunting - Generic Threat Hunting - Generic Block Indicators - Generic v3 - Block Indicators - Generic v3 Block Indicators - Generi... Block Indicators - Generic v3 Done Done Remediation Remediation Mitigation Mitigation Ivanti mitigation measures Ivanti mitigation measures Tag File Indicators - createNewIndicator Tag File Indicators createNewIndicator Tag CVE Indicators - createNewIndicator Tag CVE Indicators createNewIndicator Tag IP Indicators - createNewIndicator Tag IP Indicators createNewIndicator Panorama Threat Prevention Panorama Threat Prevention Panorama Query Logs - Panorama Query Logs Panorama Query Logs Panorama Query Logs CVE Hunting CVE Hunting Search Endpoint by CVE - Generic - Search Endpoint by CVE - Generic Search Endpoint by CVE - ... Search Endpoint by CVE - Generic Cortex Xpanse Cortex Xpanse Search for Pulse Secure VPN Devices with an open issues - expanse-get-issues Search for Pulse Secure V... expanse-get-issues Is Xpanse Enabled? Is Xpanse Enabled? Indicators extraction - extractIndicators Indicators extraction extractIndicators Should pause for mitigations? Should pause for mitigati... Entity Enrichment - Generic v3 - Entity Enrichment - Generic v3 Entity Enrichment - Gener... Entity Enrichment - Generic v3 Should close automatically? Should close automatically? Close investigation - closeInvestigation Close investigation closeInvestigation Done Done