Ivanti warns of a new auth bypass flaw in its Connect Secure, Policy Secure, and ZTA gateway devices

Pierluigi Paganini February 09, 2024

Ivanti warns customers of a new authentication bypass vulnerability in its Connect Secure, Policy Secure, and ZTA gateway devices.

Ivanti has warned customers of a new high-severity security vulnerability, tracked as CVE-2024-22024 (CVSS score 8.3), in its Connect Secure, Policy Secure, and ZTA gateway devices that could allow attackers to bypass authentication.

The vulnerability was discovered by the software firm as part of an ongoing investigation into the vulnerabilities impacting Ivanti Connect Secure, Ivanti Policy Secure and ZTA gateways (CVE-2023-46805, CVE-2024-21887CVE-2024-21888, and CVE-2024-21893).

“An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.” reads the advisory published by the company.

The vulnerability impacts the following supported versions:

  • Connect Secure (version 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1);
  • Policy Secure version 22.5R1.1;
  • ZTA version 22.6R1.3.

The vendor released patches for Ivanti Connect Secure (versions 9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3 and 22.6R2.2), Ivanti Policy Secure (versions 9.1R17.3, 9.1R18.4 and 22.5R1.2) and ZTA gateways (versions 22.5R1.6, 22.6R1.5 and 22.6R1.7).

According to the advisory, there is no evidence of this vulnerability being exploited in the wild.

Last week Ivanti warned of two new high-severity vulnerabilities in its Connect Secure and Policy Secure solutions respectively tracked as CVE-2024-21888 (CVSS score: 8.8) and CVE-2024-21893 (CVSS score: 8.2). The software company also warned that one of these two vulnerabilities is under active exploitation in the wild.

This week, researchers warned that a Server-Side Request Forgery (SSRF) vulnerability CVE-2024-21893 is currently being actively exploited in real-world attacks by various threat actors.

On February 2, 2024, researchers from Rapid7 published a technical analysis of the issue along with a proof-of-concept (PoC) exploit on February 2, 2024. The availability of a PoC exploit code could help threat actors to launch attacks against Internet-facing installs.

Researchers from Shadowserver observed the exploitation of the flaw CVE-2024-21893 in the wild by multiple threat actors, however, they pointed out that the attacks began hours before the publication of the Rapid7 PoC code.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, authentication bypass flaw)

you might also like

leave a comment