Detect Ivanti Connect Secure Authenticated Command Injection (CVE-2024-21887) in Google Chronicle
CVE-2024-21887 is a critical authenticated command injection vulnerability (CVSS 9.1) in Ivanti Connect Secure and Policy Secure web components. When chained with the authentication bypass CVE-2023-46805, unauthenticated remote attackers can execute arbitrary commands on the appliance as root. Nation-state threat actors (UNC5221) exploited this as a zero-day to deploy LIGHTWIRE, WIREFIRE, and FRAMESTING web shells and conduct credential harvesting and lateral movement. CISA added this to the KEV catalog in January 2024.
MITRE ATT&CK
YARA-L Detection Query
rule ivanti_cve_2024_21887_command_injection {
meta:
author = "df00tech Detection Engineering"
description = "Detects CVE-2024-21887 authenticated command injection against Ivanti Connect Secure and Policy Secure"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://nvd.nist.gov/vuln/detail/CVE-2024-21887"
events:
$req.metadata.event_type = "NETWORK_HTTP"
$req.network.http.method = /POST|PUT|GET/
(
$req.network.http.request_url = /\/api\/v1\/totp\/user-backup-code/ or
$req.network.http.request_url = /\/api\/v1\/.*archiving.*cloud-server-test/ or
$req.network.http.request_url = /\/api\/v1\/.*maintenance/ or
$req.network.http.request_url = /[;|&`\$(){}\[\]]/ or
$req.network.http.request_url = /%(3[Bb]|7[Cc]|60)/ or
$req.network.http.request_url = /(wget|curl|bash|python|chmod|mkfifo|base64)/
)
$req.network.http.response_code = /200|201|204/
$req.principal.ip != ""
condition:
$req
}Chronicle YARA-L rule detecting CVE-2024-21887 command injection attempts against Ivanti Connect Secure and Policy Secure appliances by matching known vulnerable API paths and injection payload patterns in HTTP requests.
Data Sources
Required Tables
False Positives & Tuning
- Authorized API calls from known Ivanti administrator IP ranges
- Security scanning tools performing vulnerability assessments
- Ivanti support access sessions touching maintenance API endpoints
- Automated orchestration tools interacting with Ivanti APIs for legitimate operations
Other platforms for CVE-2024-21887
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2024-21887 Command Injection via TOTP Backup Code Endpoint
Expected signal: HTTP POST to /api/v1/totp/user-backup-code/ with shell metacharacters in request body, followed by file creation event in /tmp/ visible in process audit logs
- Test 2CVE-2023-46805 + CVE-2024-21887 Full Chain — Unauthenticated RCE
Expected signal: Sequence of: GET to /dana-na/auth/saml-sso.cgi with path traversal, 200 response with session cookie, then PUT to /api/v1/system/maintenance/archiving/cloud-server-test-connection with shell metacharacters in host field, followed by outbound HTTP callback from appliance
- Test 3Post-Exploitation Web Shell Deployment Simulation
Expected signal: File creation event at /home/webserver/htdocs/dana-na/auth/ for a new .pl or .py file; subsequent GET request to that file path with query parameters (cmd=, exec=, c=); process spawning by the web server daemon executing perl or python
- Test 4Credential Harvesting Simulation via Ivanti Config API
Expected signal: GET requests to Ivanti configuration API endpoints for user-roles and authentication server configuration; successful 200 responses containing credential or LDAP bind DN data
References (5)
- https://nvd.nist.gov/vuln/detail/CVE-2024-21887
- https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways
- https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b
Unlock Pro Content
Get the full detection package for CVE-2024-21887 including response playbook, investigation guide, and atomic red team tests.