Security alerts CVE-2023-46805 & CVE-2024-21887: Stormshield Products Response

Published on: 24 01 2024

Author: Stormshield Customer Security Lab

2 minutes

Two new critical vulnerabilities impacting Ivanti Connect Secure (previously Pulse Connect Secure), identified as CVE-2023-46805 and CVE-2024-21887, are actively exploited. They have been assigned a CVSS 3.1 score of 8.2 and 9.1 respectively. The Stormshield Customer Security Lab details our protection offerings.

 

The context of CVE-2023-46805 and CVE-2024-21887

Vulnerabilities CVE-2023-46805 and CVE-2024-21887 impact Ivanti Connect Secure versions 9.X and 22.X

The CVE-2023-46805 allows an attacker to bypass authentication on the web server, while the CVE-2024-21887 allows an authenticated shell command injection. By combining these vulnerabilities, an attacker can achieve an unauthenticated remote code execution.

 

Technical details of CVE-2023-46805 and CVE-2024-21887

CVE-2023-46805

Some path in the web application are available without authentication. One of those path is subject to a path-traversal vulnerability, allowing an attacker to call authenticated path from this unauthenticated path. This vulnerability comes from a path comparison without normalization.

CVE-2024-21887

In the web application, two different path are vulnerable to a system command injection. Data submitted by the user is used directly in the python function «subprocess.Popen(shell=True)» without any sanitization. As a result, an attacker can inject «;command;» and execute shell commands.

 

CVE-2023-46805 and CVE-2024-21887: Stormshield protections

Stormshield Network Security

SNS firewalls detect and block exploitation of CVE-2023-46805 with its protocol inspection:

  • http:80 : Path Traversal

The following IPS signatures detect and block exploitation of CVE-2024-21887 :

  • http:client.97 : Exploitation of a RCE vulnerability in Ivanti Connect Secure (CVE-2024-21887)
  • http:url:decoded.423 : Exploitation of a RCE vulnerability in Ivanti Connect Secure (CVE-2024-21887)

For these protections to be efficient, the traffic must be decrypted.

Confidence index for the protection offered by Stormshield

Confidence index for the absence of false positives

Recommandations

At the time of writing, no patch is available. A mitigation is available on Ivanti’s website, but pushing any configuration to the appliance removes the mitigation. We recommend to apply the mitigation as soon as possible and to avoid any configuration change, until a patch is available.

Tags :

Share on

[juiz_sps buttons="facebook, twitter, linkedin, mail"]
Need more information about Stormshield protection? The Technical Support teams are at your disposal to help you. Contact them through the incident manager located in the MyStormshield private area. To access it, select the menu "Technical Support / Report an incident / Track an incident".
Stormshield's Cyber Threat Intelligence team has two primary missions: to study cyber threats to understand them and to continuously improve Stormshield product protections. All with the goal of contributing to the cybersecurity community's effort to address cyber threats.
About the author
mm
Stormshield Customer Security Lab
Last articles

See all articles from Alert

Read more