February 12, 2024 at 11:32AM
Hackers are exploiting a server-side request forgery (SSRF) vulnerability in Ivanti products to deploy the DSLog backdoor, allowing remote command execution. The vulnerability, known as CVE-2024-21893, affects SAML components and enables bypassing authentication. Successful attacks have been reported, prompting the release of security updates to mitigate the risk.
Key takeaways from the meeting notes are as follows:
1. Exploitation of a server-side request forgery (SSRF) vulnerability in Ivanti Connect Secure, Policy Secure, and ZTA gateways has led to the deployment of a new DSLog backdoor on vulnerable devices.
2. The vulnerability, tracked as CVE-2024-21893, was disclosed as an actively exploited zero-day on January 31, 2024, with security updates and mitigation advice provided by Ivanti.
3. The flaw impacts the SAML component of the mentioned products and allows attackers to bypass authentication and access restricted resources on Ivanti gateways running versions 9.x and 22.x.
4. Updates addressing the problem have been released for Ivanti Connect Secure versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1, and 22.5R2.2, Ivanti Policy Secure version 22.5R1.1, and ZTA version 22.6R1.3.
5. On February 5, 2024, threat monitoring service Shadowserver reported multiple attackers attempting to leverage the flaw, some using published proof-of-concept exploits with the success rate being unknown at the time.
6. A report by Orange Cyberdefense confirms the successful exploitation of CVE-2024-21893 to install a new backdoor named DSLog, allowing threat actors to execute commands on compromised Ivanti servers remotely.
7. Orange researchers found that the DSLog backdoor is injected into the DSLog file, with unique SHA256 hashes used as API keys for command execution, and the backdoor’s main functionality is to execute commands as root.
8. Nearly 700 compromised Ivanti servers were discovered, with roughly 20% of them already affected by earlier campaigns, while others were vulnerable due to the lack of additional patches or mitigations.
9. It is recommended to follow the latest recommendations by Ivanti to mitigate all threats targeting the vendor’s products leveraging this SSRF or any of the other recently disclosed vulnerabilities impacting Ivanti devices.
Please let me know if there is anything else you would like to add or if there are other specific details you need from the meeting notes.