Exploited: Ivanti Virtual Traffic Manager (vTM ) (CVE-2024-7593)

IONIX Tracks Impact of Ivanti vTM CVE – See if You’re Impacted

ORIGINAL POST: August 14, 9:00pm

This post is based on ongoing security research – the post will continue to be updated as we get additional information…

A critical vulnerability has just been announced in Ivanti’s Virtual Traffic Manager (vTM) that allows unauthenticated remote attackers to create administrator users. This vulnerability, CVE-2024-7593, has a CVSS score of 9.8 “Critical.”

According to an article in The Hacker News, “While there is no evidence that the flaw has been exploited in the wild, Ivanti acknowledged the public availability of a proof-of-concept (PoC), making it essential that users apply the latest fixes as soon as possible.” The presence of a public PoC makes exploitation of this issue likely and imminent.

However, the IONIX threat research team has succeeded to exploit the vulnerability on a vulnerable system to which we have access, meaning that we have evidence that the flaw is likely being exploited. We determined this by executing a non-destructive version of the exploit to create a new, rogue admin user, and confirmed that the issue is real and not a false positive.

Recommended actions:

1. For IONIX customers, affected assets will soon be visible in IONIX’s Threat Center.
2. Ivanti suggests the following guidance on their website:
   1. Upgrade to the available patch 22.2R1 (released 26 March 2024) or 22.7R2 (released 20 May 2024). Customers who have pointed their management interface to a private IP and restricted access can patch at their earliest convenience. Instructions can be found below to limit access to the management interface.  
   1. To limit exploitability of this vulnerability, it is industry best practice and advised by Ivanti to limit Admin Access to the Management Interface internal to the network through the private / corporate network.

Ivanti Virtual Traffic Manager (Ivanti vTM) is a software-based Layer 7 application delivery controller (ADC). According to the company, Ivanti vTM is ideal for hybrid environments, moving with your application as required. Ivanti vTM inspects and processes application traffic with full payload inspection and streaming. Built-in TrafficScript software controls how individual requests are optimized, routed, and transformed.

UPDATE: August 14, 11:55pm

The IONIX research team took an exploit with which we were able to create new admin user and login to Ivanti vTM systems, and modified it to failed in the creation of the user by setting an invalid password for the new admin. That way, we were able to simulate the exploit without creating a backdoor to our customers.

The team found impacted assets, which are hosted by third-party, were detected as critically vulnerable to CVE-2024-7593, Authentication Bypass vulnerability in Ivanti Virtual Traffic Manager (vTM). However, right after simulating the exploit, and before an Action Item was opened in the IONIX Portal, the team detected that the asset is no longer vulnerable.

This is either because:

1. The system got patched (if this is the case, probably, by the hosting third-party).
2. The system got hacked and the hackers are blocking the content.

Our recommendations:

1. As for at least a few hours, the system was critically vulnerable and in exploitable state, check that no new users were created and audit the login logs.
2. Contact the third-party hosting and ensure you understand what did happen with the asset. We noticed that in many cases, shared environment is used.
3. IONIX customers should go to their threat center in the portal to see potentially affected assets.