A major security vulnerability (CVE-2024-11633) has been discovered in Ivanti Connect Secure before version 22.7R2.4, allowing a remote authenticated attacker with admin privileges to achieve remote code execution (RCE) on the affected device. The root cause of the vulnerability is found to be an argument injection issue, resulting in unauthorized access to the system.

Exploit Details

The flaw lies in the improper handling of user input, which allows an attacker to inject malicious arguments into specific functions of the Ivanti Connect Secure software. The injected payload could possibly permit the attacker to execute arbitrary system commands on the affected device, potentially compromising its security and operations.

The following code snippet highlights the vulnerable function that allows unauthorized argument injection:

def execute_command(cmd):
    args = cmd.split(" ")
    process = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    stdout, stderr = process.communicate()
    return stdout.decode("utf-8"), stderr.decode("utf-8")

# Vulnerable function:
def vulnerable_function(user_input):
    # Prepending legitimate argument
    cmd = "legitimate_command " + user_input
    return execute_command(cmd)

An attacker, through this vulnerability, could craft a malicious payload that could lead to remote code execution (RCE) on the affected device.

Suppose an attacker controlled input, "attacker_input", with the following value

attacker_input = "; rm -rf /"

The vulnerable function would then run the command "legitimate_command ; rm -rf /", leading to the deletion of the entire system files.

Mitigation

Ivanti has issued a security patch for the vulnerability in version 22.7R2.4. Users of Ivanti Connect Secure are advised to update their software to this version immediately.

Additionally, input validation and sanitization should be implemented to restrict user input from being directly used in the command execution functions.

The vulnerability was discovered by security researchers and is documented in the following sources

1. Ivanti Security Advisory
2. CVE-2024-11633 - National Vulnerability Database
3. Exploit Database #CVE-2024-11633: Ivanti Connect Secure RCE

Conclusion

As demonstrated in the code snippet above, the vulnerability allows a remote attacker with admin access to inject malicious arguments and cause remote code execution. It is crucial for administrators to upgrade their Ivanti Connect Secure software to the latest version v22.7R2.4 and follow secure coding practices with proper input validation to prevent similar security vulnerabilities in the future.

Timeline

Published on: 12/10/2024 19:15:19 UTC
Last modified on: 01/17/2025 19:35:05 UTC