· Jimmy Ly · Vulnerabilities · 2 min read
CVE-2023-46805: Ivanti Connect Secure (ICS)
We have created a new module in OWASP Nettacker to detect the CVE-2023-46805 in Ivanti Connect Secure (ICS). The new module can be found here.
OWASP Nettacker
OWASP Nettacker is a security scanning tool that is created to automate information gathering, vulnerability scanning and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations, and other information. Similar to ProjectDiscovery Nuclei, Nettacker offers YAML-based templates for its plugin. However, the benefits of using Nettacker is the enumeration capabilities such as port and subdomain scanning which can be then fed into the vulnerability scanner, compared to Nuclei which requires a list of targets.
Vulnerability
CVE-2023-46805 is an authentication bypass that is usually chained with CVE-2024-21887 to perform remote code execution on Ivanti ICS 9.x, 22.x. This module checks whether the mitigations have been applied for CVE-2023-46805. This method was discovered by watchTowr Labs which looks at a specific HTTP response (403) in a specific endpoint, e.g.
http://example.com/api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark
CVE-2023-46805: Ivanti Connect Secure (ICS) Plugin
info:
name: ivanti_ics_cve_2023_46805_vuln
author: Jimmy Ly
severity: 8.2
description: CVE-2023-46805 is an authentication bypass that is usually chained with CVE-2024-21887 to perform remote code execution on Ivanti ICS 9.x, 22.x. This module checks whether the mitigations have been applied for CVE-2023-46805.
reference:
- https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
- https://labs.watchtowr.com/welcome-to-2024-the-sslvpn-chaos-continues-ivanti-cve-2023-46805-cve-2024-21887
profiles:
- vuln
- vulnerability
- http
- high_severity
- cve
- ivanti
- ivanti_connect_secure
- ivanti_ics
payloads:
- library: http
steps:
- method: get
timeout: 3
headers:
User-Agent: "{user_agent}"
allow_redirects: false
ssl: false
url:
nettacker_fuzzer:
input_format: "{{schema}}://{target}:{{ports}}/{{paths}}"
prefix: ""
suffix: ""
interceptors:
data:
paths:
- "api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark"
schema:
- "http"
- "https"
ports:
- 80
- 443
response:
condition_type: and
conditions:
status_code:
regex: "403"
reverse: false
content:
regex: "<html>"
reverse: true
Conclusion
Nettacker is a fast and easy-to-understand tool which allows security researchers to create modules and contribute to the projects easily. With all open-source project, there are improvements that can be made namely the ability to assign variables in YAML, which is supported in Nuclei, and multi-stage attacks. For example, in a multi-stage attack, the user wants to be able to dynamically fetch the response of request 1 and then use as a header in request 2.
MITRE ATT&CK Mapping
- Tactics:
- TA0001 Initial Access
- Techniques:
- T1190 Exploit Public-Facing Application
