Urgent: Patch Ivanti Products to Block DSLog Backdoor

Hackers are exploiting a Server-Side Request Forgery (SSRF) vulnerability in Ivanti Connect Secure (ICS), Policy Secure (IPS), and ZTA products to deploy a new backdoor named DSLog on vulnerable devices.

The flaw, identified as CVE-2024-21893 (CVSS score: 8.2), was disclosed on January 31st and is described as an actively exploited zero-day vulnerability. Following its discovery, Ivanti provided security updates and mitigation recommendations.

This vulnerability impacts the SAML component of the specified products, allowing attackers to bypass authentication and access restricted resources on Ivanti gateways running versions 9.x and 22.x. Updates released to address the issue include:

• Ivanti Connect Secure versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1, and 22.5R2.2;
• Ivanti Policy Secure version 22.5R1.1;
• ZTA version 22.6R1.3.

On February 5th, 2024, the threat monitoring service Shadowserver reported multiple hacking attempts exploiting the vulnerability (441 attempts), including the use of previously published proof-of-concept (PoC) exploits by Rapid7, although the success of these attempts was not known at that time.

A recent report by Orange Cyberdefense confirms the successful use of CVE-2024-21893 to install the new DSLog backdoor, enabling malefactors to remotely execute commands on compromised Ivanti servers. The first detection of the backdoor dates back to February 3rd, 2024, after analyzing a compromised device that had implemented Ivanti’s proposed XML protection measure (blocking all API endpoints) but had not applied the fix.

The DSLog backdoor was inserted into the Ivanti device’s codebase by sending SAML authentication requests containing encoded commands. These commands performed operations such as outputting system information to a public file (index2.txt), indicating the attackers’ intent to conduct internal reconnaissance and confirm their root access.

Attackers used a unique SHA256 hash for each device as an API key, requiring this hash in the HTTP User-Agent header to execute commands. Orange Cyberdefense explains that the DSLog backdoor can execute “any commands” on the compromised device, received via HTTP requests from the attackers, with the command included in a request parameter named “cdi”. HTTP requests contain a special SHA256 hash corresponding to the affected device, which serves as the key for authenticating the request to the backdoor.

Researchers note that because the web shell does not return a status/code upon connection attempts, it is particularly covert. Orange also was unable to determine the scheme used to calculate the SHA256 hash and noted that “.access” logs had been erased on several compromised devices to conceal the attackers’ actions.

Nonetheless, researchers managed to identify nearly 700 compromised Ivanti servers by analyzing other artifacts, such as “index” text files in the directory “hxxp://{ip}/dana-na/imgs/”. Approximately 20% of the endpoints had already suffered from previous campaigns, while the rest were vulnerable due to the absence of additional patches or mitigation measures.

Recall that Ivanti recently alerted clients to a new authentication bypass vulnerability, CVE-2024-22024 (CVSS score: 8.3), affecting Connect Secure (ICS), Policy Secure (IPS), and ZTA gateways, urging administrators to immediately secure their devices.

This vulnerability was identified during an internal review conducted by the company as part of an ongoing investigation into several deficiencies in products discovered since the beginning of the year. At the end of January, Ivanti released a series of patches for vulnerable ICS and IPS gateways. However, the company concurrently discovered two additional zero-day vulnerabilities, including CVE-2024-21893.