Cybersecurity blog header

CVE-2024-22024: XXE vulnerability disclosed in Ivanti products

- S.T.A².R.S Team

CVE-2024-22024 affects two pieces of software that allow devices to connect to VPN networks

CVE-2024-22024 is an XML External Entity (XXE) vulnerability that allows a remote attacker to access internal files

CVE-2024-22024, a new high rated vulnerability affecting Ivanti Connect Secure and Ivanti Policy Secure software has been disclosed. This software is used to connect devices to virtual private networks (VPNs). The vulnerability would allow a remote attacker to access internal files by sending maliciously crafted XML files. The situation is more serious by the fact that there is a known, publicly accessible exploit.

The vulnerability CVE-2024-22024 is the latest in a series of high and critical vulnerabilities discovered in a single month (CVE-2024-21893, CVE-2024-21887, CVE-2024-21888). It is worth mentioning that the exploitation of these previous vulnerabilities has been detected in the wild, so it is not discarded that this last vulnerability will be exploited in the same way.

Ivanti Connect Secure and Ivanti Policy Secure are Ivanti’s software solutions oriented to the management and communications through virtual private networks (VPN), used to connect devices to networks in a secure way. These solutions were previously developed by Pulse Secure, a company that was acquired by Ivanti in 2020.

Key features

  • CVE identifier: CVE-2024-22024
  • Release date: February 08, 2024
  • Affected software: Ivanti Connect Secure / Ivanti Policy Secure
  • CVSS score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L (8.3 High)
  • Affected versions:
    • Ivanti Connect Secure: 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1, y 22.5R2.2
    • Ivanti Policy Secure: 22.5R1.1 y ZTA 22.6R1.3.
  • Exploitation requirements:
    •  The web service must be available for the attacker.

The vulnerable resource is /dana-na/auth/saml-sso.cgi and it would be enough for its exploitation to make a POST request that included a parameter called SAMLRequest, and whose value was a malicious XML that had some kind of entity that referred to both internal resources of the server or external addresses.

Mitigation

The main solution is to urgently update the Ivanti software to one of the new patched versions that fix this vulnerability:

  • Ivanti Connect Secure: 9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3,22.6R2.2
  • Ivanti Policy Secure: 9.1R17.3, 9.1R18.4 and 22.5R1.2
  • ZTA gateways: 22.5R1.6, 22.6R1.5 and 22.6R1.7.

Ivanti has published a post with the official information and related updates of this vulnerability.

Detection of the vulnerability CVE-2024-22024

The presence of the vulnerability can be identified by the version number.

As part of its emerging vulnerabilities service, Tarlogic proactively monitors the perimeter of its clients to report, detect, and urgently notify of the presence of this vulnerability, as well as other critical threats that could have a serious impact on the security of their assets.