Ivanti’s month-long nightmare with a quartet of vulnerabilities targeting its network appliances continues, with one of the bugs currently being exploited by multiple threat actors.
The vendor disclosed two actively exploited zero-day flaws affecting its Connect Secure VPN and Policy Secure network gateway appliances on Jan. 10. It discovered two additional vulnerabilities during its remediation efforts, which it revealed on Jan 31.
Fallout from the saga has so far included the Cybersecurity and Infrastructure Security Agency (CISA) taking the rare step of ordering federal agencies to disconnect all affected devices from their networks.
In a Feb. 5 post on X (formerly Twitter), Shadowserver said it began observing on Feb. 2 an exploitation of one of the two later vulnerabilities, CVE-2024-21893, with attacks originating from more than 170 different IP addresses.
Rapid7 published a proof of concept (PoC) for the exploit on Feb.2, but Shadowserver said it began observing attacks hours before Rapid7’s PoC was available. Ivanti also previously reported that CVE-2024-21893 was being exploited in the wild.
Ivanti appliances bombarded with SSRF attacks
According to Shadowserver’s data charting attacks against Ivanti appliances, CVE-2024-21893 rocketed to become the most popular attack vector by Feb. 4. On that day, it accounted for 103 of the 185 attacks against Ivanti appliances.
CVE-2024-21893 is a server-side request forgery (SSRF) vulnerability. The other three bugs are an authentication bypass vulnerability (CVE-2023-46805), a command injection vulnerability (CVE-2024-21887), and a privilege escalation vulnerability (CVE-2024-21888) which is not known to have been exploited.
In its PoC post, Rapid7 said CVE-2024-21893 was used to bypass Ivanti’s original mitigation for the initial exploit chain involving the first two vulnerabilities.
“The SSRF, as we found it, is actually an n-day in the xmltooling library, patched out around June 2023 and assigned CVE-2023-36661,” Rapid7 principal security researcher, Stephen Fewer, added in a X/Twitter post.
“The SSRF can be chained to CVE-2024-21887 for unauthenticated command injection with root privileges,” he said.
China-linked gang suspected of earlier Ivanti attacks
It is unclear which threat groups are behind the latest spike in attacks exploiting SSRF vulnerability. However, Mandiant attributed the earlier CVE-2023-46805 and CVE-2024-21887 attacks to a group it tracks as UNC5221, and which it suspects is a China-nexus espionage threat actor.
“Mandiant has observed UNC5221 targeting a wide range of verticals of strategic interest to the People’s Republic of China (PRC) both pre and post disclosure, and early indications show that tooling and infrastructure overlap with past intrusions attributed to suspected China-based espionage actors,” the firm’s researchers said in a post.
They added that UNC5221 had previously been observed mainly using tactics, techniques and procedures associated with zero-day exploitation of edge infrastructure by suspected PRC nexus actors.