The Ivanti Connect Secure installed on the remote host is 9.x or 22.x. It is, therefore, affected by multiple vulnerabilities:
An authentication bypass vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks. (CVE-2023-46805)
A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. This vulnerability can be exploited over the internet. (CVE-2024-21887)
A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator. (CVE-2024-21888)
Note that Nessus has not tested for this issue but has instead relied only on the applicationβs self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(187908);
script_version("1.13");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/12");
script_cve_id(
"CVE-2023-46805",
"CVE-2024-21887",
"CVE-2024-21888",
"CVE-2024-21893",
"CVE-2024-22024"
);
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2024/01/31");
script_xref(name:"CEA-ID", value:"CEA-2024-0003");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2024/02/02");
script_xref(name:"IAVA", value:"2024-A-0080");
script_name(english:"Ivanti Connect Secure 9.x / 22.x Multiple Vulnerabilities");
script_set_attribute(attribute:"synopsis", value:
"A VPN solution installed on the remote host is affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The Ivanti Connect Secure installed on the remote host is 9.x or 22.x. It is, therefore, affected by
multiple vulnerabilities:
- An authentication bypass vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy
Secure allows a remote attacker to access restricted resources by bypassing control checks. (CVE-2023-46805)
- A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure
allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the
appliance. This vulnerability can be exploited over the internet. (CVE-2024-21887)
- A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure
(9.x, 22.x) allows a user to elevate privileges to that of an administrator. (CVE-2024-21888)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
# https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?11330e19");
# https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?dec942ff");
script_set_attribute(attribute:"solution", value:
"See vendor advisory.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-21888");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2024-21887");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Ivanti Connect Secure Unauthenticated Remote Code Execution');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2024/01/10");
script_set_attribute(attribute:"patch_publication_date", value:"2024/01/10");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/01/10");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:pulsesecure:pulse_connect_secure");
script_set_attribute(attribute:"stig_severity", value:"I");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("pulse_connect_secure_detect.nbin");
script_require_keys("installed_sw/Pulse Connect Secure");
exit(0);
}
include('http.inc');
include('vcf.inc');
include('vcf_extras.inc');
var port = get_http_port(default:443, embedded:TRUE);
var app_info = vcf::pulse_connect_secure::get_app_info(app:'Pulse Connect Secure', port:port, full_version:TRUE, webapp:TRUE);
var constraints = [
{'min_version':'9.1.14', 'fixed_version':'9.1.14.25049'}, # 9.1R14.5
{'min_version':'9.1.15', 'max_version':'9.1.15.22337', 'fixed_display':'See vendor advisory'}, # 9.1R15.3
{'min_version':'9.1.16', 'max_version':'9.1.16.21349', 'fixed_display':'See vendor advisory'}, # 9.1R16.3
{'min_version':'9.1.17', 'fixed_version':'9.1.17.25051'}, # 9.1R17.3
{'min_version':'9.1.18', 'fixed_version':'9.1.18.25055'}, # 9.1R18.4
{'min_version':'22.1.6', 'max_version':'22.1.6.575', 'fixed_display':'See vendor advisory'}, # 22.1R6.1
{'min_version':'22.2.4', 'max_version':'22.2.4.1279', 'fixed_display':'See vendor advisory'}, # 22.2R4.1
{'min_version':'22.3.1', 'max_version':'22.3.1.1647', 'fixed_display':'See vendor advisory'}, # 22.3R1.1
{'min_version':'22.4.1', 'max_version':'22.4.1.1439', 'fixed_display':'See vendor advisory'}, # 22.4R1.1
{'min_version':'22.4.2', 'fixed_version':'22.4.2.2159'}, # 22.4R2.3
{'min_version':'22.5.1', 'fixed_version':'22.5.1.2213'}, # 22.5R1.2
{'min_version':'22.5.2', 'fixed_version':'22.5.2.2215'}, # 22.5R2.3
{'min_version':'22.6.1', 'max_version':'22.6.1.9999', 'fixed_display':'See vendor advisory'}, # 22.6R1.1
{'min_version':'22.6.2', 'fixed_version':'22.6.2.2677'} # 22.6R2.2
];
vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
Vendor | Product | Version | CPE |
---|---|---|---|
pulsesecure | pulse_connect_secure | cpe:/a:pulsesecure:pulse_connect_secure |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46805
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21887
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21888
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21893
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22024
www.nessus.org/u?11330e19
www.nessus.org/u?dec942ff