Ivanti Connect Secure 9.x / 22.x Multiple Vulnerabilities

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(187908);
  script_version("1.13");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/12");

  script_cve_id(
    "CVE-2023-46805",
    "CVE-2024-21887",
    "CVE-2024-21888",
    "CVE-2024-21893",
    "CVE-2024-22024"
  );
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2024/01/31");
  script_xref(name:"CEA-ID", value:"CEA-2024-0003");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2024/02/02");
  script_xref(name:"IAVA", value:"2024-A-0080");

  script_name(english:"Ivanti Connect Secure 9.x / 22.x Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"A VPN solution installed on the remote host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The Ivanti Connect Secure installed on the remote host is 9.x or 22.x. It is, therefore, affected by 
multiple vulnerabilities:

  - An authentication bypass vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy
    Secure allows a remote attacker to access restricted resources by bypassing control checks. (CVE-2023-46805)

  - A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure
    allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the
    appliance. This vulnerability can be exploited over the internet. (CVE-2024-21887)

  - A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure
    (9.x, 22.x) allows a user to elevate privileges to that of an administrator. (CVE-2024-21888)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?11330e19");
  # https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?dec942ff");
  script_set_attribute(attribute:"solution", value:
"See vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-21888");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2024-21887");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Ivanti Connect Secure Unauthenticated Remote Code Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/01/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/01/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/01/10");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:pulsesecure:pulse_connect_secure");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("pulse_connect_secure_detect.nbin");
  script_require_keys("installed_sw/Pulse Connect Secure");

  exit(0);
}

include('http.inc');
include('vcf.inc');
include('vcf_extras.inc');

var port = get_http_port(default:443, embedded:TRUE);
var app_info = vcf::pulse_connect_secure::get_app_info(app:'Pulse Connect Secure', port:port, full_version:TRUE, webapp:TRUE);

var constraints = [
  {'min_version':'9.1.14', 'fixed_version':'9.1.14.25049'}, # 9.1R14.5
  {'min_version':'9.1.15', 'max_version':'9.1.15.22337', 'fixed_display':'See vendor advisory'}, # 9.1R15.3
  {'min_version':'9.1.16', 'max_version':'9.1.16.21349', 'fixed_display':'See vendor advisory'}, # 9.1R16.3
  {'min_version':'9.1.17', 'fixed_version':'9.1.17.25051'}, # 9.1R17.3
  {'min_version':'9.1.18', 'fixed_version':'9.1.18.25055'}, # 9.1R18.4

  {'min_version':'22.1.6', 'max_version':'22.1.6.575',  'fixed_display':'See vendor advisory'}, # 22.1R6.1
  {'min_version':'22.2.4', 'max_version':'22.2.4.1279', 'fixed_display':'See vendor advisory'}, # 22.2R4.1
  {'min_version':'22.3.1', 'max_version':'22.3.1.1647', 'fixed_display':'See vendor advisory'}, # 22.3R1.1
  {'min_version':'22.4.1', 'max_version':'22.4.1.1439', 'fixed_display':'See vendor advisory'}, # 22.4R1.1
  {'min_version':'22.4.2', 'fixed_version':'22.4.2.2159'}, # 22.4R2.3
  {'min_version':'22.5.1', 'fixed_version':'22.5.1.2213'}, # 22.5R1.2
  {'min_version':'22.5.2', 'fixed_version':'22.5.2.2215'}, # 22.5R2.3
  {'min_version':'22.6.1', 'max_version':'22.6.1.9999', 'fixed_display':'See vendor advisory'}, # 22.6R1.1
  {'min_version':'22.6.2', 'fixed_version':'22.6.2.2677'}  # 22.6R2.2
];
vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);