Two new critical vulnerabilities impacting Ivanti Connect Secure (previously Pulse Connect Secure), identified as CVE-2023-46805 and CVE-2024-21887, are actively exploited. They have been assigned a CVSS 3.1 score of 8.2 and 9.1 respectively. The Stormshield Customer Security Lab details our protection offerings.
The context of CVE-2023-46805 and CVE-2024-21887
The CVE-2023-46805 allows an attacker to bypass authentication on the web server, while the CVE-2024-21887 allows an authenticated shell command injection. By combining these vulnerabilities, an attacker can achieve an unauthenticated remote code execution.
Technical details of CVE-2023-46805 and CVE-2024-21887
Some path in the web application are available without authentication. One of those path is subject to a path-traversal vulnerability, allowing an attacker to call authenticated path from this unauthenticated path. This vulnerability comes from a path comparison without normalization.
In the web application, two different path are vulnerable to a system command injection. Data submitted by the user is used directly in the python function «subprocess.Popen(shell=True)» without any sanitization. As a result, an attacker can inject «;command;» and execute shell commands.
CVE-2023-46805 and CVE-2024-21887: Stormshield protections
Stormshield Network Security
SNS firewalls detect and block exploitation of CVE-2023-46805 with its protocol inspection:
- http:80 : Path Traversal
The following IPS signatures detect and block exploitation of CVE-2024-21887 :
- http:client.97 : Exploitation of a RCE vulnerability in Ivanti Connect Secure (CVE-2024-21887)
- http:url:decoded.423 : Exploitation of a RCE vulnerability in Ivanti Connect Secure (CVE-2024-21887)
For these protections to be efficient, the traffic must be decrypted.
Confidence index for the protection offered by Stormshield
Confidence index for the absence of false positives
At the time of writing, no patch is available. A mitigation is available on Ivanti’s website, but pushing any configuration to the appliance removes the mitigation. We recommend to apply the mitigation as soon as possible and to avoid any configuration change, until a patch is available.