Ivanti is warning users against two zero-day vulnerabilities in its Connect Secure VPN devices after they were discovered and disclosed by security researchers from Volexity.
Volexity spotted the vulnerabilities while analysing a system that was attacked by a group it dubbed “UTA0178”, which it has “reason to believe … is a Chinese nation-state level threat actor”.
The bugs, described here, comprise an authentication bypass and a command injection bug, which can be chained together.
As Volexity’s Matthew Meltzer, Robert Jan Mora, Sean Koessel, Steven Adair, and Thomas Lancaster warn in a blog post, chaining CVE-2023-46805 and CVE-2024-21887 “make it trivial for attackers to run commands” on a compromised system.
Volexity discovered the zero-day vulnerabilities after they were used in an attack on a customer’s system.
The attacker’s activities were extensive: they stole configuration data, modified some files, downloaded others, and established a remote tunnel from the VPN appliance.
The attacker also made changes to evade the system’s integrity checker and added backdoors to a legitimate CGI file on the appliance to allow command execution.
They also installed a keylogger to gather user credentials.
“The information and credentials collected by the attacker allowed them to pivot to a handful of systems internally, and ultimately gain unfettered access to systems on the network,” Volexity said.
The attacker also planted a webshell dubbed GLASSTOKEN to public-facing web servers.
Ivanti has published a mitigation as an XML file on its download portal.
In a knowledge base article, Ivanti warns that some features of its Connect Secure and Policy Secure software will be impacted by the mitigations.