Merge pull request #706 from DIVD-NL/update_2024-00001

Update 2024 00001 - New scanning method
DIVD-NL · Jan 17, 2024 · 48659dd · 48659dd
2 parents 88b3747 + 668f3f1
commit 48659dd
Showing 1 changed file with 8 additions and 3 deletions.
diff --git a/_cases/2024/DIVD-2024-00001.md b/_cases/2024/DIVD-2024-00001.md
@@ -32,10 +32,14 @@ timeline:
   event: "DIVD receives signals about a vulnerability in Ivanti Pulse Connect and starts fingerprinting."
 - start: 2024-01-10
   end:
-  event: “Advisory published, DIVD starts scanning for vulnerable instances."
+  event: Advisory published, DIVD starts scanning for vulnerable instances. Based on lack of mitigation.
 - start: 2024-01-10
   end:
-  event: “Case opened, first version of this casefile."
+  event: Case opened, first version of this casefile.
+- start: 2024-01-17
+  end:
+  event: Scanning with new method that exploits authentication bypass.
+
 #ips: 
 # ips is used for statistics after the case is closed. If it is not applicable, you can set IPs to n/a (e.g. stolen credentials)
 # This field becomes mandatory when the case status is set to 'Closed'
@@ -48,7 +52,7 @@ An authentication bypass and a command injection vulnerability were discovered i
 Given that there is active exploitation, it is crucial the provided mitigation is applied as soon as possible or that the appliance is take offline until mitigations are available. It is also recommended to check the appliance for signs of previous exploitation. The mitigation can be applied by downloading and importing mitigation.release.20240107.1.xml from the Ivanti download portal. Additionally, Volexity (see references) provided detection rules to monitor for exploitation. The patch is expected to be released in the week of January 22nd.
 
 ## What we are doing
-DIVD is currently working to identify vulnerable instances and notify the owners of these systems. We do this by scanning for exposed Ivanti Connect Secure and Policy Secure instances, and checking the version number to determine whether the vulnerability is present. Owners of vulnerable instances receive a notification with the host information and mitigation steps.
+DIVD is currently working to identify vulnerable instances and notify the owners of these systems. We do this by scanning for exposed Ivanti Connect Secure and Policy Secure instances, and by using a de-weaponized exploit to confirm that the authentication bypass vulnerability is present and exploitable on the device. Owners of vulnerable instances, or those responsible for the network they are in, will receive a notification with the host information and mitigation steps.
 
 {% comment %}  Leave this here, so we see a timeline{% endcomment %}
 {% include timeline.html %}
@@ -59,6 +63,7 @@ DIVD is currently working to identify vulnerable instances and notify the owners
 * [Ivanti Security Advisory](https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US)
 * [Volexity Advice](https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/) 
 * [BleepingComputer Blogpost](https://www.bleepingcomputer.com/news/security/ivanti-warns-of-connect-secure-zero-days-exploited-in-attacks/)
+* [Detailed writeup by Rapid7 on AttackerKB](https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis)
 * {% cve CVE-2023-46805 %}
 * {% cve CVE-2024-21887 %}