Lucene search

HistoryApr 04, 2024 - 12:00 a.m.

Ivanti Policy Secure 9.x / 22.x Multiple Vulnerabilities (CVE-2024-21894)

2024-04-0400:00:00

www.tenable.com

ivanti policy secure

multiple vulnerabilities

cve-2024-21894

heap overflow

null pointer dereference

xml vulnerability

unauthenticated attackers

dos attack

arbitrary code

memory contents

nessus scanner

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

39.3%

JSON

The Ivanti Policy Secure installed on the remote host is 9.x or 22.x. It is, therefore, affected by multiple vulnerabilities:

A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack. In certain conditions this may lead to execution of arbitrary code. (CVE-2024-21894)
A null pointer dereference vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack. (CVE-2024-22052)
A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack or in certain conditions read contents from memory. (CVE-2024-22053)
An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated attacker to send specially crafted XML requests in-order-to temporarily cause resource exhaustion thereby resulting in a limited-time DoS. (CVE-2024-22023)

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (c) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(192927);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/11");

  script_cve_id(
    "CVE-2024-21894",
    "CVE-2024-22052",
    "CVE-2024-22053",
    "CVE-2024-22023"
  );
  script_xref(name:"IAVA", value:"2024-A-0201");

  script_name(english:"Ivanti Policy Secure 9.x / 22.x Multiple Vulnerabilities (CVE-2024-21894)");

  script_set_attribute(attribute:"synopsis", value:
"A NAC solution installed on the remote host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The Ivanti Policy Secure installed on the remote host is 9.x or 22.x. It is, therefore, affected by 
multiple vulnerabilities:

- A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure
allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby
causing a DoS attack. In certain conditions this may lead to execution of arbitrary code. (CVE-2024-21894)

- A null pointer dereference vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy
Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service
thereby causing a DoS attack. (CVE-2024-22052)

- A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure
allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby
causing a DoS attack or in certain conditions read contents from memory. (CVE-2024-22053)

- An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti
Policy Secure allows an unauthenticated attacker to send specially crafted XML requests in-order-to temporarily
cause resource exhaustion thereby resulting in a limited-time DoS. (CVE-2024-22023)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://forums.ivanti.com/s/article/New-CVE-2024-21894-Heap-Overflow-CVE-2024-22052-Null-Pointer-Dereference-CVE-2024-22053-Heap-Overflow-and-CVE-2024-22023-XML-entity-expansion-or-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?65301712");
  script_set_attribute(attribute:"solution", value:
"See vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-21894");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/04/02");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/04/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/04/04");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:pulsesecure:pulse_policy_secure");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("pulse_policy_secure_detect.nbin");
  script_require_keys("installed_sw/Pulse Policy Secure");

  exit(0);
}

include('vcf.inc');
include('http.inc');

var port = get_http_port(default:443);
var app_info = vcf::get_app_info(app:'Pulse Policy Secure', port:port);

var constraints = [
  {'min_version':'9.1.16', 'fixed_version':'9.1.16.10103'}, # 9.1R16.4
  {'min_version':'9.1.17', 'fixed_version':'9.1.17.10091'}, # 9.1R17.4
  {'min_version':'9.1.18', 'fixed_version':'9.1.18.10095'}, # 9.1R18.5

  {'min_version':'22.4.1', 'max_version':'22.4.1.463', 'fixed_display':'See vendor advisory'}, # 22.4R1.2
  {'min_version':'22.5.1', 'max_version':'22.5.1.621', 'fixed_display':'See vendor advisory'}, # 22.5R1.3
  {'min_version':'22.6.1', 'max_version':'22.6.1.669', 'fixed_display':'See vendor advisory'}  # 22.6R1.2
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);

VendorProductVersionCPE
pulsesecurepulse_policy_securecpe:/a:pulsesecure:pulse_policy_secure

Vendor	Product	Version	CPE
pulsesecure	pulse_policy_secure		cpe:/a:pulsesecure:pulse_policy_secure

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21894

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22023

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22052

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22053

www.nessus.org/u?65301712

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

39.3%

JSON

Related for IVANTI_POLICY_SECURE_CVE-2024-21894.NASL