CVE-2024-21893 - Ivanti Connect Secure and Policy Secure: Server-Side Request Forgery (SSRF) Vulnerability in SAML Component

A newly discovered vulnerability, tracked as CVE-2024-21893, affects Ivanti Connect Secure and Policy Secure software. Specifically, this vulnerability allows an attacker to perform a server-side request forgery (SSRF) attack within the Security Assertion Markup Language (SAML) component. This exploit can provide unauthorized access to restricted resources, even without proper authentication. Affected versions include Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x), and Ivanti Neurons for Zero Trust Access (ZTA).

This post will outline the details of this vulnerability, including the affected code and how the exploit works—and provide information on how to mitigate the risk.

Vulnerability Details

A server-side request forgery (SSRF) vulnerability is a type of exploit that allows an attacker to send malicious requests from a vulnerable server to other internal or external resources, bypassing access controls. In the case of CVE-2024-21893, this SSRF vulnerability is found in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA.

This vulnerability can allow an attacker to access restricted resources on both internal and external networks without proper authentication.

Consider the following high-level overview of the exploited SAML code snippet

# Sample SAML handling code
def handle_saml_request(xml_data):
    saml_request = decode_saml_request(xml_data)
    # ...
    response = requests.get(saml_request['url'])
    return handle_saml_response(response)

def decode_saml_request(xml_data):
    # Decode and parse the XML data, returning the extracted SAML request
    # ...

def handle_saml_response(response):
    # Process SAML response, allowing the attacker to bypass access controls
    # ...

In the above example, an attacker may be able to manipulate the XML data in the SAML request to forge unauthorized requests, effectively bypassing proper authentication mechanisms.

Exploit Details

An attacker may exploit CVE-2024-21893 by sending a maliciously crafted SAML request to the vulnerable server. This request can target internal or external resources not typically accessible by the attacker. Here's a simple example of how this exploit may happen:

The attacker crafts a malicious SAML request containing an unauthorized URL.

2. The vulnerable server accepts and processes the request, using the unauthorized URL to perform an action like retrieving sensitive data.

Refer to the following resources for more information on CVE-2024-21893

- Ivanti Security Advisory: [Adding link to the official Ivanti Security Advisory when it becomes available]
- NIST National Vulnerability Database (NVD): https://nvd.nist.gov/vuln/detail/CVE-2024-21893
- Common Vulnerabilities and Exposures (CVE) Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21893

Mitigation

Ivanti has released software updates for Connect Secure, Policy Secure, and Neurons for ZTA to address the vulnerability in CVE-2024-21893. It is recommended to apply these updates as soon as possible to fix the SSRF vulnerability.

Furthermore, network access controls and monitoring should be employed to limit the potential impact of exploits like SSRF.

Conclusion

CVE-2024-21893 is a critical vulnerability affecting Ivanti Connect Secure, Policy Secure, and Neurons for Zero Trust Access products. With the ability to perform server-side request forgery attacks and bypass authentication, attackers can access restricted resources. It is crucial to apply necessary updates and harden security controls to protect against such threats.

Timeline

Published on: 01/31/2024 18:15:47 UTC
Last modified on: 02/01/2024 02:00:01 UTC