CVE-2024-21893: Critical SSRF in Ivanti Connect Secure and Policy Secure SAML Component
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure), Ivanti Policy Secure, and Ivanti Neurons contain a server-side request forgery (SSRF) vulnerability in the SAML component that allows an attacker to access certain restricted resources without authentication.
FREQUENTLY ASKED
What is CVE-2024-21893 and why does it matter?
CVE-2024-21893 is a Server-Side Request Forgery (SSRF) vulnerability in the SAML component of Ivanti Connect Secure, Policy Secure, and Neurons. It matters because it allows unauthenticated attackers to access restricted resources. With a CVSS score of 8.2 and an EPSS percentile of 100.0%, this vulnerability is being actively exploited in the wild and has known ties to ransomware operations.
Which versions of the product are affected?
The affected versions include Ivanti Connect Secure and Policy Secure versions 9.1R18, 22.6R2, 22.6R1, 9.0, 22.6, 22.3, 22.5, 22.4, 22.1, 22.2, 9.1, 21.9, and 21.12. Ivanti Neurons for ZTA is also impacted. Organizations should check their specific deployment version against these listed values immediately.
Has a patch been released for CVE-2024-21893?
Yes, Ivanti has provided remediation instructions and patches. Users should refer to the official Ivanti portal at the provided patch URL to apply the necessary updates or mitigations. Given the active exploitation status, applying these fixes is considered a high-priority defensive action.
What is the remediation deadline and what does it mean for compliance?
The remediation deadline for CVE-2024-21893 was 2024-02-02. For federal agencies and organizations following CISA BOD 22-01, this means the vulnerability must be mitigated or patched by this date to maintain compliance. Failure to do so significantly increases the risk of successful compromise by malicious actors.
How can I check if my Ivanti instance is affected?
To check if an instance is affected, administrators should verify the current software version against the list of affected versions (e.g., 9.x or 22.x releases). Additionally, Ivanti provides an Integrity Checker Tool (ICT) that can help identify signs of compromise or unauthorized modifications to the SAML component and other system files.
CVE-2024-21893 represents a critical security flaw in the SAML (Security Assertion Markup Language) component of Ivanti's primary gateway products, including Connect Secure (ICS), Policy Secure (IPS), and Ivanti Neurons for ZTA. This vulnerability is classified as a Server-Side Request Forgery (SSRF), with a CVSS v3.0 score of 8.2 (High). The risk is exacerbated by an EPSS score of 0.94319, placing it in the 100th percentile of likely exploitation. Crucially, the vulnerability allows unauthenticated attackers to bypass security boundaries and access restricted internal resources, making it a prime target for initial access brokers and ransomware affiliates.
Technical Deep Dive: Understanding the SSRF in SAML
Server-Side Request Forgery (CWE-918) occurs when a web application—in this case, the SAML component of Ivanti gateways—is coerced into making requests to an unintended destination. In the context of CVE-2024-21893, the vulnerability resides within the SAML engine, which is responsible for processing authentication assertions between identity providers (IdPs) and the service provider (the Ivanti gateway).
An unauthenticated attacker can craft a malicious request to the SAML endpoint that forces the server to interact with internal metadata services, management interfaces, or other backend systems that are not intended to be exposed to the public internet. Because the Ivanti gateway often holds a privileged position within the network architecture (acting as a bridge between the DMZ and the internal LAN), the SSRF serves as a powerful lever for the attacker to "proxy" their way into the heart of the organization.
The Attack Chain and Blast Radius
The attack chain typically begins with a specially crafted XML request targeting the SAML ACS (Assertion Consumer Service) or related endpoints. Unlike other vulnerabilities that might require valid credentials, CVE-2024-21893 can be triggered prior to authentication. This makes the "blast radius" particularly large, as any internet-facing Ivanti gateway is a potential entry point.
Furthermore, this SSRF can be chained with other vulnerabilities, such as CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection), to achieve full remote code execution (RCE). When combined, these vulnerabilities allow an attacker to bypass authentication, pivot through the network via SSRF, and ultimately execute arbitrary commands with administrative privileges on the underlying operating system.
Impacted Versions and Who Is Affected
This vulnerability impacts a wide range of Ivanti's enterprise security products. Organizations utilizing Ivanti Connect Secure (formerly Pulse Connect Secure) or Ivanti Policy Secure for remote access and Network Access Control (NAC) are at significant risk. Specifically, versions 9.x and 22.x are affected, covering both legacy and modern deployments.
CISA BOD 22-01 Compliance
Due to active exploitation and the critical nature of the flaw, CVE-2024-21893 was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. For United States Federal Executive Branch (FCEB) agencies, Binding Operational Directive (BOD) 22-01 mandated remediation by February 2, 2024. While this deadline has passed, any organization that has not yet applied the latest patches or mitigations is currently operating in a state of high non-compliance and extreme risk.
Official Remediation and Patching Steps
Ivanti has released multiple updates and an XML mitigation file to address this issue. Administrators must prioritize the following steps:
Identify Vulnerable Instances: Audit your infrastructure to identify all Ivanti Connect Secure, Policy Secure, and Neurons for ZTA instances. Check the running version against the affected list (e.g., 9.1R18, 22.6R2).
Apply Official Patches: Ivanti has released cumulative security updates that address CVE-2024-21893 alongside previously disclosed vulnerabilities. Access the official Ivanti download portal via the Ivanti Community Forum.
Deploy XML Mitigations: If an immediate upgrade is not possible, apply the official XML mitigation file provided by Ivanti. This file disables specific vulnerable SAML components while maintaining basic gateway functionality. Note that this may impact certain SSO (Single Sign-On) features.
Run the Integrity Checker Tool (ICT): Ivanti recommends running both the internal and external Integrity Checker Tools to ensure no persistence has been established by attackers prior to patching.
Reset Credentials: As a precautionary measure, once patched, administrators should consider rotating all administrative passwords and certificates associated with the gateway.
Security Best Practices for Ivanti Gateways
To defend against SSRF and similar attack vectors in the future, organizations should adopt a multi-layered defense strategy focused on the following best practices:
Implement Egress Filtering: Restrict the ability of the Ivanti gateway to make outbound requests to the internal network. Only allow communication to known, required backend servers on specific ports.
Zero Trust Architecture (ZTA): Transition from traditional VPN-centric access to a Zero Trust model where access is granted based on identity and device health, rather than network location. This reduces the impact of a compromised gateway.
Harden SAML Configurations: Ensure that SAML assertions are signed and encrypted, and that the server is configured to reject requests to unauthorized or internal-only URIs.
Enhanced Logging and Monitoring: Enable detailed logging for the SAML component and monitor for unusual outbound traffic patterns originating from the gateway, which may indicate SSRF attempts.
Rapid Patching Cadence: Establish a 24-48 hour patching window for critical perimeter security devices. As evidenced by the Feb 2 deadline, the window between disclosure and exploitation is often non-existent.
Network Segmentation: Isolate management interfaces from the data plane. Ensure that the gateway cannot communicate with the management network of the hypervisor or other critical infrastructure.