Remote Authentication Bypass Vulnerability Affects Ivanti ICS and Policy Secure
CVE-2023-46805
Key Information:
Badges
What is CVE-2023-46805?
CVE-2023-46805 is a significant vulnerability that affects Ivanti's Integrated Cloud Services (ICS) and Policy Secure platforms. This vulnerability constitutes a remote authentication bypass, allowing unauthorized users to gain access to restricted resources without proper authentication checks. Such access could lead to unauthorized manipulation of sensitive data and critical system functions, thereby posing substantial risks to organizational security and operational integrity.
Technical Details
The vulnerability resides in the web component of Ivanti ICS versions 9.x and 22.x as well as Ivanti Policy Secure. The flaw enables remote attackers to bypass established authentication mechanisms, thereby gaining access to secure areas of the application. This type of vulnerability typically arises from inadequacies in code that manages user credentials and session validation processes. The capability to bypass these controls raises serious concerns regarding user data and resource protection within the affected platforms.
Impact of the Vulnerability
-
Unauthorized Access: The most immediate impact is that attackers can authenticate themselves without proper credentials, leading to unrestricted access to sensitive information and administrative functions within the Ivanti systems.
-
Data Integrity Risks: With unauthorized access, attackers can manipulate or degrade the integrity of critical data stored within the system. This manipulation may lead to misinformation, data breaches, and loss of trust in the data management processes.
-
Increased Attack Surface: The existence of this vulnerability can potentially expose organizations to further attacks. Once an attacker gains access through this bypass, they may deploy additional threats, such as installing malware or initiating lateral movement within the network. This escalates the risk of broader system compromise and financial repercussions from data breaches.
CISA Reported
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
ICS 9.1R18
ICS 22.6R2
IPS 9.1R18
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Ivanti’s bug-plagued network appliances attacked using fresh exploit
Multiple threat actors have begun exploiting one of four recently discovered flaws afflicting the vendor’s VPN and network gateway products.
3 weeks ago
watchTowr Labs - BlogwatchTowr Labs - Blog
The epicentre of offensive security expertise and research at watchTowr - watchTowr Labs.
8 months ago
The Hacker NewsMirai Botnet Exploits Ivanti Connect Secure Flaws for Malicious Payload Delivery
Ivanti Connect Secure (ICS) devices are under attack! Two critical vulnerabilities are being exploited to deploy the notorious Mirai botnet.
8 months ago
References
EPSS Score
96% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 🥇
Vulnerability reached the number 1 worldwide trending spot
- 💰
Used in Ransomware
- 📈
Vulnerability started trending
Vulnerability published
- 👾
Exploit known to exist
- 🦅
CISA Reported
- 📰
First article discovered by Bleeping Computer
Vulnerability Reserved