CVE-2024-37404 | Ivanti | RCE
| Vulnerability | CVE-2024-37404 |
|---|---|
| Description | CVE-2024-37404 is a critical vulnerability in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) that allows authenticated administrators to execute arbitrary code with root privileges. The flaw arises from a CRLF (Carriage Return Line Feed) injection in the OpenSSL configuration during Certificate Signing Request (CSR) generation, enabling attackers to inject malicious directives into the configuration file. (AmberWolf Research) |
| Affected Systems | - Ivanti Connect Secure versions prior to 22.7R2.1 and 22.7R2.2 - Ivanti Policy Secure versions prior to 22.7R1.1 |
| Attack Vector | Remote: An attacker with administrative access to the web application can exploit this vulnerability by injecting malicious input during the CSR generation process, leading to remote code execution with root privileges. |
| Exploitation Techniques | - CRLF Injection in CSR Generation: The attacker leverages the lack of input validation in the CSR generation process to inject CRLF sequences into fields such as localityName. This injection allows the addition of new sections or directives in the OpenSSL configuration file.- Specifying Malicious OpenSSL Engine: By injecting a new engine section pointing to a malicious shared library (e.g., /tmp/malicious.so), the attacker manipulates OpenSSL to load and execute arbitrary code during the CSR generation.- Execution of Arbitrary Code with Root Privileges: Once the malicious engine is loaded by OpenSSL, the attacker’s code executes with root privileges, compromising the underlying system. (AmberWolf Research) |
| Proof of Concept (PoC) | A proof of concept involves: 1. Accessing CSR Generation Interface: The attacker navigates to the CSR generation page at /dana-admin/cert/admincertnewcsr.cgi.2. Injecting Malicious Input: In the localityName field, the attacker inputs a value containing a CRLF sequence followed by a new engine section specifying a path to a malicious shared library.3. Triggering CSR Generation: Submitting the form causes the application to generate a configuration file with the injected directives. 4. OpenSSL Execution: The system calls OpenSSL with the crafted configuration, leading to the loading and execution of the malicious engine, resulting in code execution with root privileges. (AmberWolf Research) |
| The Impact of the Bug | - Unauthorized execution of arbitrary code with root privileges. - Full system compromise, allowing attackers to manipulate system operations, access sensitive data, or deploy further malware. - Elevated risk due to the potential for exploitation by attackers who have obtained administrative credentials through other means. |
| How to Detect Infections | - Log Analysis: Examine server logs for unusual CSR generation activities, especially those with unexpected or malformed input in fields like localityName.- File Integrity Monitoring: Monitor critical system files and directories for unauthorized modifications that may indicate the presence of malicious shared libraries or altered configurations. - Process Monitoring: Observe running processes for instances of OpenSSL loading unexpected engine modules, which could signify exploitation attempts. |
| Mitigation Steps | - Update Ivanti Products: Upgrade to Ivanti Connect Secure version 22.7R2.1 or 22.7R2.2, and Ivanti Policy Secure version 22.7R1.1, where this vulnerability is addressed. - Restrict Administrative Access: Limit administrative interface exposure to trusted networks to reduce the risk of exploitation. - Input Validation: Implement strict input validation to prevent injection of malicious characters or sequences in user-supplied data during CSR generation. |
| References | - AmberWolf Research - CVE-2024-37404 - Ivanti Security Advisory - CVE-2024-37404 - Ivanti Blog - October 2024 Security Update |