Overview
A command injection vulnerability exists in Ivanti Connect Secure and Ivanti Policy Secure web components that allows authenticated administrators to execute arbitrary commands through unsanitized input. This vulnerability requires administrator-level privileges to exploit. The vulnerability was disclosed on January 12, 2024. CISA has identified CVE-2024-21887 as being exploited and is known to be used in ransomware campaigns.
Technical details
Ivanti Connect Secure and Ivanti Policy Secure contain a command injection vulnerability in their web components. The vulnerability is caused by insufficient input validation and sanitization of user-supplied data within web-based administrative interfaces. An authenticated administrator can leverage this flaw to inject arbitrary system commands that will be executed with the privileges of the web application process.
The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) andCWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')) .
The vulnerability has received a CVSS v3.1 base score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating its medium nature.
Impact
An authenticated administrator with malicious intent or compromised credentials could execute arbitrary system commands with the privileges of the application process. This could lead to complete system compromise, including data exfiltration, unauthorized modifications, system disruption, lateral movement within the network, and potential use as a pivot point for further attacks.
Mitigation and workarounds
Update to the patched versions: Connect Secure 9.1.17, 22.1.1 or later, or Policy Secure 9.1.17, 22.1.1 or later. Follow Ivanti's official update procedures available on their support portal. The following versions include the necessary fixes: Ivanti Connect Secure 9.1.17, Ivanti Connect Secure 22.1.1, Ivanti Policy Secure 9.1.17, Ivanti Policy Secure 22.1.1.
As temporary workarounds: restrict network access to the ivanti connect secure and policy secure web administration interfaces to trusted administrative networks only using firewall rules or network segmentation.; implement strict access controls and monitor administrator account activity. audit logs should be reviewed regularly for suspicious command execution patterns., and disable non-essential administrative web components if possible and limit administrator permissions to only those required for their role..
CISA's recommendation: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Additional resources
Source: This report was generated using AI
