Exploits around the Ivanti Connect "Secure" VPN appliance, taking advantage of CVE-2023-46805, continue evolving. Late on Tuesday, more details became public, particularly the blog post by Rapid7 explaining the underlying vulnerability in depth [1]. Rapid7 also does a good job walking you through how Ivanti obfuscates the LUKS key in its appliance. This will make it easier for security researchers to inspect the code, hopefully pointing out additional vulnerabilities to Ivanti in the future. In other words, get ready for more Ivanti exploits, and hopefully patches, this year.

Currently, we do see two specific URLs in our honeypots that match Rapid7's analysis:

/api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection

and

/api/v1/totp/user-backup-code/../../system/system-information

The vulnerability, a trivial directory traversal vulnerability, will allow exploitation of code injection flaws in API endpoints that require authentication. Rapid7's analysis states that the configuration workaround from Ivanti properly mitigates the directory traversal issue. The code injection vulnerabilities remain but are no longer easily accessible.

We do see two IPs in particular scanning for the two URLs above:

%ip:104.223.91.28%: This IP just started scanning and has no prior history with us. It is located with hosting provider Quadranet.

%ip:217.138.193.165%: We have seen this IP scanning or SMTPS (Port 465). Some activity for this host goes back to 2014 and includes forum spamming and other misc scans. The IP appears to be associated with a company in the UAE, and a VPN endpoint for Private Internet Access.

[1] https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|