Full Report
Mandiant said exploits were the most common initial access vector last year, linking software defects to 1 in 3 attacks. The most commonly exploited vulnerabilities affected network edge devices. The post Attackers hit security device defects hard in 2024 appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Frequently Exploited Edge Device Flaws in 2024
## CVE Details
- CVE ID: CVE-2024-3400
- CVSS Score: 10.0 (Critical)
- CWE: Command Injection (Inferred from description)
- CVE ID: CVE-2023-46805 and CVE-2024-21887 (Chained)
- CVSS Score: Not specified, but exploitation resulted in unauthenticated arbitrary command execution.
- CWE: Not specified for the pair, but chain achieved RCE.
- CVE ID: CVE-2024-21893
- CVSS Score: Not specified.
- CWE: Not specified.
- CVE ID: CVE-2023-48788
- CVSS Score: Not specified.
- CWE: SQL Injection (Inferred from description)
## Affected Systems
- **Products:**
- Palo Alto Networks PAN-OS (GlobalProtect feature)
- Ivanti Connect Secure VPN appliances
- Ivanti Policy Secure appliances
- Fortinet FortiClient Endpoint Management Server (EMS)
- **Versions:** Specific vulnerable versions are not detailed in the provided text, only the affected products are listed.
- **Configurations:** Focus on edge devices (VPNs, firewalls, routers).
## Vulnerability Description
The summary details four highly exploited vulnerabilities targeting network edge devices:
1. **CVE-2024-3400 (Palo Alto Networks PAN-OS GlobalProtect):** A command injection vulnerability that allowed for exploitation, often as a zero-day, escalated rapidly post-disclosure.
2. **CVE-2023-46805 & CVE-2024-21887 (Ivanti Connect Secure/Policy Secure):** A chain of vulnerabilities enabling unauthenticated arbitrary command execution on affected appliances.
3. **CVE-2024-21893 (Ivanti):** One or more of the Ivanti vulnerabilities mentioned above, which was exploited by multiple threat groups.
4. **CVE-2023-48788 (Fortinet FortiClient EMS):** An SQL injection vulnerability.
## Exploitation
- **Status:** Exploited in the wild. Three of the four primary flaws were exploited as zero-days.
- **Complexity:** Generally low to medium, as evidenced by rapid broad exploitation (e.g., over a dozen groups exploiting CVE-2024-3400 within two weeks of PoC release).
- **Attack Vector:** Network (initial infection vector for 1/3 of all attacks cited, often exploiting edge devices).
## Impact
- **Confidentiality:** High (Observed use in espionage and data theft campaigns, e.g., by FIN8).
- **Integrity:** High (Observed use in launching multifaceted extortion/ransomware campaigns).
- **Availability:** Medium to High (Exploitation led to major incidents, including ransomware deployment).
## Remediation
### Patches
Specific patch versions are not provided in the source text, but remediation revolves around applying vendor updates for the following:
- **Palo Alto Networks PAN-OS** (for CVE-2024-3400)
- **Ivanti Connect Secure/Policy Secure appliances** (for CVE-2023-46805, CVE-2024-21887, CVE-2024-21893)
- **Fortinet FortiClient EMS** (for CVE-2023-48788)
### Workarounds
No specific workarounds are detailed in the source text, although organizations were clearly caught off-guard due to a lack of EDR on these edge devices.
## Detection
- **Indicators of Compromise:** Exploitation of these vulnerabilities directly leads to initial access, often followed by ransomware deployment or data staging.
- **Detection Methods and Tools:** Mandiant noted that deficiencies in enterprise logging and detection capabilities created significant blind spots regarding initial access vectors. Organizations must improve logging on these critical edge components.
## References
- Mandiant M-Trends report (2024 findings)
- Vendor advisories for Palo Alto Networks, Ivanti, and Fortinet regarding the specific CVEs.
- Vendor advisory for CVE-2024-3400 (defanged): nvd dot nist dot gov/vuln/detail/cve-2024-3400
- Vendor advisory for CVE-2023-46805 (defanged): nvd dot nist dot gov/vuln/detail/cve-2023-46805
- Vendor advisory for CVE-2024-21887 (defanged): nvd dot nist dot gov/vuln/detail/cve-2024-21887
- Vendor advisory for CVE-2024-21893 (defanged): nvd dot nist dot gov/vuln/detail/cve-2024-21893
- Vendor advisory for CVE-2023-48788 (defanged): nvd dot nist dot gov/vuln/detail/cve-2023-48788