Teacher
Professional
- Messages
- 2,669
- Reaction score
- 819
- Points
- 113
A botched fix allowed hackers to inject a backdoor into the device's codebase.
Hackers are exploiting an SSRF (Server-Side Request Forgery) vulnerability in Ivanti Connect Secure (ICS), Policy Secure (IPS), and ZTA products to deploy a new DSLog backdoor on vulnerable devices.
Bug CVE-2024-21893 (CVSS score: 8.2) was made public on January 31 and is described as an "actively exploited zero-day vulnerability". Following the discovery, Ivanti provided security updates and mitigation recommendations.
The vulnerability affects the SAML component of these products and allows attackers to bypass authentication and gain access to limited resources on Ivanti gateways running on versions 9. x and 22. x. Updates were released to fix the problem:
On February 5, 2024, the Shadowserver threat monitoring service reported multiple attempts by hackers to exploit the vulnerability (441 attempts), including using previously published proof-of-concept (PoC) exploits from Rapid7, while the success of attempts at that time remained unknown.
A new report from Orange Cyberdefense confirms the successful use of CVE-2024-21893 to install a new backdoor called DSLog, which allows attackers to remotely execute commands on compromised Ivanti servers. The first detection of the backdoor dates back to February 3, 2024, after analyzing a compromised device that implemented the XML protection tool proposed by Ivanti (blocking all API endpoints), but the fix was not applied.
The DSLog backdoor was embedded in the Ivanti device's codebase by sending SAML authentication requests containing encoded commands. The commands performed operations such as outputting system information to a public file (index2.txt), which indicates that the attackers sought to conduct internal intelligence and confirm their root access.
The attackers used a unique SHA256 hash for each device as an API key, requiring this hash in the HTTP User-Agent header to execute commands. Orange Cyberdefense explains that the DSLog backdoor can execute "any commands" on a compromised device received via HTTP requests from attackers, and the command is included in the request parameter named "cdi". HTTP requests contain a special SHA256 hash corresponding to the affected device, which serves as a key for authenticating the request to the backdoor.
The researchers note that because the web shell does not return a status / code when trying to communicate, it is particularly secretive. Orange was also unable to determine the scheme used to calculate the SHA256 hash, and noted that ".access " logs were erased on several compromised devices to hide the actions of attackers.
However, the researchers managed to detect almost 700 compromised Ivanti servers by analyzing other artifacts, such as the "index" text files in the "hxxp://{ip}/dana-na/imgs/"directory. Approximately 20% of endpoints were already affected by previous campaigns, while the rest were vulnerable due to the lack of additional fixes or mitigation measures.
Recall that Ivanti recently warned customers about a new authentication bypass vulnerability CVE-2024-22024 (CVSS score: 8.3) affecting the Connect Secure (ICS), Policy Secure (IPS) and ZTA gateways, urging administrators to immediately protect their devices.
The vulnerability was identified during an internal review conducted by the company as part of an ongoing investigation into multiple product flaws discovered since the beginning of the year. At the end of January, Ivanti released a number of fixes for vulnerable ICS and IPS gateways. However, in parallel, the company discovered two new zero-day vulnerabilities, including CVE-2024-21893.
Hackers are exploiting an SSRF (Server-Side Request Forgery) vulnerability in Ivanti Connect Secure (ICS), Policy Secure (IPS), and ZTA products to deploy a new DSLog backdoor on vulnerable devices.
Bug CVE-2024-21893 (CVSS score: 8.2) was made public on January 31 and is described as an "actively exploited zero-day vulnerability". Following the discovery, Ivanti provided security updates and mitigation recommendations.
The vulnerability affects the SAML component of these products and allows attackers to bypass authentication and gain access to limited resources on Ivanti gateways running on versions 9. x and 22. x. Updates were released to fix the problem:
- Ivanti Connect Secure версий 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1 и 22.5R2.2;
- Ivanti Policy Secure version 22. 5R1. 1;
- ZTA version 22. 6R1. 3.
On February 5, 2024, the Shadowserver threat monitoring service reported multiple attempts by hackers to exploit the vulnerability (441 attempts), including using previously published proof-of-concept (PoC) exploits from Rapid7, while the success of attempts at that time remained unknown.
A new report from Orange Cyberdefense confirms the successful use of CVE-2024-21893 to install a new backdoor called DSLog, which allows attackers to remotely execute commands on compromised Ivanti servers. The first detection of the backdoor dates back to February 3, 2024, after analyzing a compromised device that implemented the XML protection tool proposed by Ivanti (blocking all API endpoints), but the fix was not applied.
The DSLog backdoor was embedded in the Ivanti device's codebase by sending SAML authentication requests containing encoded commands. The commands performed operations such as outputting system information to a public file (index2.txt), which indicates that the attackers sought to conduct internal intelligence and confirm their root access.
The attackers used a unique SHA256 hash for each device as an API key, requiring this hash in the HTTP User-Agent header to execute commands. Orange Cyberdefense explains that the DSLog backdoor can execute "any commands" on a compromised device received via HTTP requests from attackers, and the command is included in the request parameter named "cdi". HTTP requests contain a special SHA256 hash corresponding to the affected device, which serves as a key for authenticating the request to the backdoor.
The researchers note that because the web shell does not return a status / code when trying to communicate, it is particularly secretive. Orange was also unable to determine the scheme used to calculate the SHA256 hash, and noted that ".access " logs were erased on several compromised devices to hide the actions of attackers.
However, the researchers managed to detect almost 700 compromised Ivanti servers by analyzing other artifacts, such as the "index" text files in the "hxxp://{ip}/dana-na/imgs/"directory. Approximately 20% of endpoints were already affected by previous campaigns, while the rest were vulnerable due to the lack of additional fixes or mitigation measures.
Recall that Ivanti recently warned customers about a new authentication bypass vulnerability CVE-2024-22024 (CVSS score: 8.3) affecting the Connect Secure (ICS), Policy Secure (IPS) and ZTA gateways, urging administrators to immediately protect their devices.
The vulnerability was identified during an internal review conducted by the company as part of an ongoing investigation into multiple product flaws discovered since the beginning of the year. At the end of January, Ivanti released a number of fixes for vulnerable ICS and IPS gateways. However, in parallel, the company discovered two new zero-day vulnerabilities, including CVE-2024-21893.
