CVE-2024-37404
published 2024-10-18CVE-2024-37404: Improper Input Validation in the admin portal of Ivanti Connect Secure before 22.7R2.1 and 9.1R18.9, or Ivanti Policy Secure before 22.7R1.1 allows a remote…
PriorityP180high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
67.29%
99.2th percentile
Improper Input Validation in the admin portal of Ivanti Connect Secure before 22.7R2.1 and 9.1R18.9, or Ivanti Policy Secure before 22.7R1.1 allows a remote authenticated attacker to achieve remote code execution.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | connect_secure | < 9.1 | 9.1 |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | >= 22.3 < 22.7 | 22.7 |
| ivanti | connect_secure | >= 22.7R2.1 < 22.7R2.1 | 22.7R2.1 |
| ivanti | connect_secure | >= 9.1R18.9 < 9.1R18.9 | 9.1R18.9 |
| ivanti | policy_secure | < 22.7 | 22.7 |
| ivanti | policy_secure | — | — |
| ivanti | policy_secure | >= 22.7R1.1 < 22.7R1.1 | 22.7R1.1 |
Detection & IOCsextracted from sources · hover to see the quote
url/dana-admin/cert/admincertnewcsr.cgi
url/dana/uploadlog/uploadlog.cgi
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ivanti Connect Secure CRLF Injection Remote Code Execution Attempt (CVE-2024-37404)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:36; content:"/dana-admin/cert/admincertnewcsr.cgi"; fast_pattern; http.request_body; pcre:"/(?:organizationName|organizationalUnitName|localityName|stateOrProvinceName|countryName|emailAddress)\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24)).*?(?:openssl(?:\x5f|%5[fF])conf|engine(?:s|(?:\x5f|%5[fF])id)|dynamic(?:\x5f|%5[fF])path)?/i"; reference:cve,2024-37404; reference:url,blog.amberwolf.com/blog/2024/october/cve-2024-37404-ivanti-connect-secure-authenticated-rce-via-openssl-crlf-injection/; classtype:attempted-admin; sid:2056578; rev:2;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ivanti Connect Secure Shared Object File Upload Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/dana/uploadlog/uploadlog.cgi"; startswith; fast_pattern; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|uploaded_file|22 3b 20|filename|3d 22|"; content:"Content-Type|3a 20|application/zip|0d 0a 0d 0a|ELF"; within:300; reference:url,blog.amberwolf.com/blog/2024/october/cve-2024-37404-ivanti-connect-secure-authenticated-rce-via-openssl-crlf-injection/; classtype:web-application-attack; sid:2056579; rev:1;)
bytes
Content-Type: application/zip\r\n\r\nELF
- →CRLF injection payload targets CSR generation endpoint; look for POST to /dana-admin/cert/admincertnewcsr.cgi with body fields (organizationName, organizationalUnitName, localityName, stateOrProvinceName, countryName, emailAddress) containing CRLF/semicolon/backtick/pipe/dollar-sign characters (raw or URL-encoded) followed by OpenSSL config directives (openssl_conf, engines, engine_id, dynamic_path)
- →Second-stage payload delivery: watch for POST to /dana/uploadlog/uploadlog.cgi uploading a ZIP-wrapped ELF shared object (Content-Type: application/zip with ELF magic bytes in body) — indicates attacker is uploading a malicious .so for OpenSSL engine loading
- →Exploitation requires valid administrative credentials; monitor for authenticated admin sessions followed immediately by CSR generation requests containing injection characters — the exploit chain is: CRLF inject OpenSSL config → upload malicious ELF shared object → trigger OpenSSL engine load for RCE ↗
- →Detection requires TLS decryption (SSLDecrypt/TLSDecrypt) as all traffic to Ivanti Connect Secure admin portal is HTTPS; without decryption, URI and body-based signatures will not fire
- ·Ivanti Policy Secure (prior to 22.7R1.1) is also vulnerable but the Metasploit module does not support it; detection rules targeting Ivanti Connect Secure paths may not cover Policy Secure attack surface ↗
- ·The URI-based Snort rule for the CSR endpoint uses bsize:36 (exact URI length match); any variation in the URI (e.g., trailing slash or query string) may cause the rule to miss
- ·Both Snort rules require TLS inspection to be effective; deployments without SSL/TLS decryption will not detect this exploit in transit
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wh9v-jwf3-x8xj: Improper Input Validation in the admin portal of Ivanti Connect Secure before 22
ghsa_unreviewed·2024-10-19
CVE-2024-37404 [CRITICAL] GHSA-wh9v-jwf3-x8xj: Improper Input Validation in the admin portal of Ivanti Connect Secure before 22
Improper Input Validation in the admin portal of Ivanti Connect Secure before 22.7R2.1 and 9.1R18.9, or Ivanti Policy Secure before 22.7R1.1 allows a remote authenticated attacker to achieve remote code execution.
Ivanti
Ivanti Security Advisory: CVE-2024-37404
vendor_ivanti·2024-10-18·CVSS 8.8
CVE-2024-37404 [HIGH] Ivanti Security Advisory: CVE-2024-37404
Ivanti Security Advisory: CVE-2024-37404
Improper Input Validation in the admin portal of Ivanti Connect Secure before 22.7R2.1 and 9.1R18.9, or Ivanti Policy Secure before 22.7R1.1 allows a remote authenticated attacker to achieve remote code execution.
CVE IDs: CVE-2024-37404
CVSS Base Score: 8.8
Severity: HIGH
Suricata
ET WEB_SPECIFIC_APPS Ivanti Connect Secure CRLF Injection Remote Code Execution Attempt (CVE-2024-37404)
suricata·2024-10-09·CVSS 8.8
CVE-2024-37404 [HIGH] ET WEB_SPECIFIC_APPS Ivanti Connect Secure CRLF Injection Remote Code Execution Attempt (CVE-2024-37404)
ET WEB_SPECIFIC_APPS Ivanti Connect Secure CRLF Injection Remote Code Execution Attempt (CVE-2024-37404)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ivanti Connect Secure CRLF Injection Remote Code Execution Attempt (CVE-2024-37404)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:36; content:"/dana-admin/cert/admincertnewcsr.cgi"; fast_pattern; http.request_body; pcre:"/(?:organizationName|organizationalUnitName|localityName|stateOrProvinceName|countryName|emailAddress)\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24)).*?(?:openssl(?:\x5f|%5[fF])conf|engine(?:s|(?:\x5f|%5[fF])id)|dynamic(?:\x5f|%5[fF])path)?/i"; reference:cve,2024-37404; reference:url,blog.amberwolf.com/blog/2024/october/cve-2024-3
Suricata
ET WEB_SPECIFIC_APPS Ivanti Connect Secure Shared Object File Upload Attempt
suricata·2024-10-09
CVE-2024-37404 ET WEB_SPECIFIC_APPS Ivanti Connect Secure Shared Object File Upload Attempt
ET WEB_SPECIFIC_APPS Ivanti Connect Secure Shared Object File Upload Attempt
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ivanti Connect Secure Shared Object File Upload Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/dana/uploadlog/uploadlog.cgi"; startswith; fast_pattern; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|uploaded_file|22 3b 20|filename|3d 22|"; content:"Content-Type|3a 20|application/zip|0d 0a 0d 0a|ELF"; within:300; reference:url,blog.amberwolf.com/blog/2024/october/cve-2024-37404-ivanti-connect-secure-authenticated-rce-via-openssl-crlf-injection/; classtype:web-application-attack; sid:2056579; rev:1; metadata:affected_product Ivanti, attack_target Networking_Equipment, tls_st
No writeups or analysis indexed.
2024-10-18
Published