Malicious actors are exploiting a recently disclosed server-side request forgery (SSRF) vulnerability in Ivanti Connect Secure, Policy Secure, and ZTA gateways to deploy a novel backdoor.
Tracked as CVE-2024-21893, is a server-side request forgery (SSRF) issue within the SAML component. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems. Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
Since its public disclosure, the flaw has become a target for mass exploitation by numerous attackers. According to reports from the threat monitoring service Shadowserver, the exploitation volume of CVE-2024-21893 far exceeds that of other recently addressed Ivanti vulnerabilities. The organization said it has observed 170 distinct IP addresses attempting to exploit the flaw.
The latest findings from Orange Cyberdefense show that attackers deployed a new backdoor called ‘DSLog’ that allows threat actors to execute commands on compromised devices remotely. The researchers said they first discovered the backdoor on February 3, 2024, while examining a compromised device that had implemented the Ivanti-proposed XML mitigation (API endpoints blocked) but hadn't applied the second mitigation or patch.
The backdoor had been inserted into the appliance's code base, namely into an existing Perl file called ‘DSLog.pm’ through SAML authentication requests containing encoded commands designed to carry out various operations.
The attackers attempted to gain read/write permissions on the compromised device's filesystem via further SAML requests. Additionally, the threat actors attempted to determine whether a genuine logging script (DSLog.pm) has already been modified (this will essentially tell the attacker if their malicious code is already in place) and injected the backdoor if no evidence of it was found.
“This is almost certainly an internal reconnaissance activity to confirm that the exploit technique will/has given attackers root access to the Ivanti device. The creation time of the file and the timestamp within the file indicates when the ‘uname’ command was executed. This can be useful if access logs have been deleted by attackers,” Orange said in a technical write-up.
The researchers uncovered almost 700 compromised Ivanti appliances, 20% of which had been infected in earlier campaigns.
“However, the remaining ones had the initial XML mitigation applied (so were not vulnerable to CVE-2023-46805 & CVE-2024-21887) but lacked the second mitigation or patches,” the team noted.
On the same note, the US Cybersecurity and Infrastructure Security Agency (CISA) added the CVE-2023-43770 security flaw impacting Roundcube email software to its Known Exploited Vulnerabilities (KEV) catalog, indicating that this bug is being exploited by hackers. So, users who still have not applied the relevant fixes are strongly recommended to patch their systems as soon as possible.