CRITICAL: Vulnerable Ivanti Connect Secure Special Report

DESCRIPTION LAST UPDATED: 2024-02-06

DEFAULT SEVERITY LEVEL: CRITICAL

This one-time Special Report contains information about currently known vulnerable Ivanti Connect Secure appliances – specifically those vulnerable to a new exploit chain as described in this Rapid7 CVE-2024-21893 analysis.

This is a developing incident – we see CVE-2024-21893 being used to bypass previous Ivanti mitigations (if any were installed) and execute CVE-2024-21887 RCE  in the wild. You can also read up write-ups on the current situation from BleepingComputer, Ars Technica and The Register amongst others.

Information contained in the report is obtained by scanning for exposed and vulnerable instances and was provided to us by an anonymous source.

If you receive an alert from us on a vulnerable instance detected in your network or constituency please also assume compromise of your instance and possibly your network.

A patch with guidance is available from Ivanti.

Please also review US CISA compromised and threat hunting guidance on the incident.

Please note we are also scanning for vulnerable Ivanti instances (earlier vulnerabilities) in our CRITICAL: Vulnerable HTTP Report and compromised instances in our CRITICAL: Compromised Website Report. Track current exploitation trends on our Dashboard.

This report has severity level CRITICAL set on all events.  Severity levels are described here.

About Special Reports

Shadowserver Special Reports are unlike all of our other standard free daily network reports.

Instead, we send out Special Reports in situations where we  share one-time, high value datasets that we feel should be reported responsibly for maximum public benefit, such as in cases where we have a critical new vulnerability being exploited against potentially high value targets.

Note that the data shared across special reports may differ on a case by case basis hence the report formats for different Special Reports may be different.

Filename: 2024-02-06-special

 

 

Fields

  • timestamp
    Timestamp when the IP address was seen, in UTC+0
  • ip
    IP address of the affected device
  • port
    TCP port identified
  • protocol
    Protocol
  • asn
    Autonomous System Number of the affected device
  • geo
    Country of the affected device
  • region
    Region of the affected device
  • city
    City of the affected device
  • hostname
    Hostname of the affected device (may be from reverse DNS)
  • naics
    North American Industry Classification System Code
  • sector
    Sector of the IP in question
  • tag
    Tag set to ivanti-connect-secure;ssl;cve-2024-21893;cve-2024-21887
  • public_source
    Source of the data
  • status
    Unused
  • detail
    Unused
  • method
    Unused
  • device_vendor
    for example, Pulse Secure
  • device_type
    for example, vpn
  • device_model
    for example, Pulse Connect Secure VPN
  • device_version
    Unused
  • severity
    set to CRITICAL
  • hostname_source
    Hostname source
  • request_path
    Requested path
  • subject_common_name
    The Common Name (CN) of the SSL certificate
  • x509v3_subject_alt_name
    Subject Alternative Name

Sample

"timestamp","ip","port","protocol","asn","geo","region","city","hostname","naics","sector","tag","public_source","status","detail","method","device_vendor","device_type","device_model","device_version","severity","hostname_source","request_path","subject_common_name","x509v3_subject_alt_name"
"2010-02-10 00:00:00",192.168.0.1,443,tcp,64512,ZZ,Region,City,node01.example.com,0,,ivanti-connect-secure;ssl;cve-2024-21893;cve-2024-21887,,,,,"Pulse Secure",vpn,"Pulse Connect Secure VPN",,critical,ptr,https://192.168.0.1:443/dana-ws/saml20.ws,example.com,www.example.com
"2010-02-10 00:00:01",192.168.0.2,443,tcp,64512,ZZ,Region,City,node02.example.com,0,"Communications, Service Provider, and Hosting Service",ivanti-connect-secure;ssl;cve-2024-21893;cve-2024-21887,,,,,,,,,critical,,https://192.168.0.2:443/dana-ws/saml20.ws,example.com,www.example.com
"2010-02-10 00:00:02",192.168.0.3,443,tcp,64512,ZZ,Region,City,node03.example.com,0,,ivanti-connect-secure;ssl;cve-2024-21893;cve-2024-21887,,,,,,,,,critical,,https://192.168.0.3:443/dana-ws/saml20.ws,example.com,www.example.com

Our 132 Report Types