Full Report
Multiple vulnerabilities have been disclosed for the Ivanti Connect Secure product, including several with a CVSS score of 9 or higher (CRITICAL). The majority of Ivanti Connect Secure servers operating in Korea have been identified as vulnerable versions. Figure 1. Default connection screen of Ivanti Connect Secure Ivanti Connect Secure is a VPN […] 게시물 Status of Korean Servers Exposed to Ivanti Connect Secure Vulnerabilities (Multiple CVEs)이 ASEC에 처음 등장했습니다.
Analysis Summary
# Vulnerability: Multiple Critical Vulnerabilities in Ivanti Connect Secure
## CVE Details
- CVE ID: *Multiple vulnerabilities disclosed, including:*
- CVE-2024-38656 (RCE)
- CVE-2024-39710 (RCE)
- CVE-2024-39711 (RCE)
- CVE-2024-39712 (RCE)
- CVE-2024-11005 (RCE)
- CVE-2024-11006 (RCE)
- CVE-2024-11007 (RCE)
- CVE-2024-38655 (RCE)
- CVE-2024-9420 (RCE)
- CVE-2024-11004 (Reflected XSS)
- CVE-2024-39709 (Privilege Escalation)
- CVE-2024-47906 (Privilege Escalation)
- CVE-2024-8495 (DoS)
- CVE-2024-38649 (DoS)
- CVSS Score: 9.1 (CRITICAL) for RCE flaws. Other scores range from 7.0 to 8.8.
- CWE: Not explicitly listed, but RCE implies potential flaws like improper input validation or insecure deserialization.
## Affected Systems
- Products: Ivanti Connect Secure (ICS) (formerly Pulse Connect Secure/Juniper Secure Access)
- Versions: All versions below the latest patched version. Specific mention of versions 9.x and 22.x being actively used, with many Korean servers running significantly outdated versions (e.g., 6.5.0.14951, 7.4.0.30667, 8.0.6.32195).
- Configurations: VPN solution utilized for granting access to internal corporate networks.
## Vulnerability Description
The advisory details numerous high-risk vulnerabilities affecting Ivanti Connect Secure, several of which allow for Remote Code Execution (RCE) with critical severity scores (CVSS 9.1). Other vulnerabilities include Privilege Escalation and Denial of Service (DoS). Since Ivanti Connect Secure acts as a VPN gateway to internal networks, exploitation of these flaws poses a significant risk to organizational environments.
## Exploitation
- Status: The context mentions, "Ivanti Connect Secure product is widely used around the world and has a history of multiple real vulnerability attacks in the past," suggesting a high likelihood of active targeting or high interest from threat actors for these critical flaws, although explicit 'in the wild' confirmation for *this specific bundle* is not stated, the context strongly implies urgency (especially given prior history). **PoC availability is implied** by the release of numerous critical RCEs being discussed in security advisories.
- Complexity: Likely **Low** for RCE vulnerabilities on network-facing appliances.
- Attack Vector: **Network** (Remote exploitation possible).
## Impact
- Confidentiality: High (Due to RCE leading to potential network breach)
- Integrity: High (Due to RCE leading to system compromise)
- Availability: Medium to High (Due to DoS flaws and system compromise)
## Remediation
### Patches
Vendors strongly advise updating to the latest versions. Specific corresponding patch versions mentioned:
- For version 9.x: Update to at least **9.1.18.25685 (9.1R18.9)**.
- For version 22.x: Update to at least **22.7.2.3431 (22.7R2.3)**.
- **Note:** Users on versions preceding 9.x or 22.x (e.g., running EOL versions like 8.x or 7.x) must upgrade to version 22.x immediately.
### Workarounds
No specific temporary workarounds are listed in this summary, but immediate patching is prioritized due to the severity and nature of the vulnerabilities (RCE).
## Detection
- Indicators of Compromise (IOCs): The article suggests subscribing to AhnLab TIP for access to relevant IOCs and detailed analysis.
- Detection methods and tools: Monitoring Ivanti Connect Secure logs for anomalous activity related to the vulnerability types (RCE attempts, unauthorized privilege escalation, DoS patterns). AhnLab EDR/TIP services are mentioned as providing detection capabilities.
## References
- Vendor Advisory: `hxxps://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs`
- ASEC Blog Advisory: `hxxps://asec.ahnlab.com/en/84428/`
- ATIP Advisory: `hxxps://atip.ahnlab.com/security-advisory/view?id=1bb8dec1-16e6-4412-9b5c-a81f182166b9`