Detect Ivanti Connect Secure Authenticated Command Injection (CVE-2024-21887) in CrowdStrike LogScale
CVE-2024-21887 is a critical authenticated command injection vulnerability (CVSS 9.1) in Ivanti Connect Secure and Policy Secure web components. When chained with the authentication bypass CVE-2023-46805, unauthenticated remote attackers can execute arbitrary commands on the appliance as root. Nation-state threat actors (UNC5221) exploited this as a zero-day to deploy LIGHTWIRE, WIREFIRE, and FRAMESTING web shells and conduct credential harvesting and lateral movement. CISA added this to the KEV catalog in January 2024.
MITRE ATT&CK
LogScale Detection Query
#event_simpleName=NetworkConnectIP4 OR #event_simpleName=HttpRequest
| $falcon.metadata.eventType = ["HttpRequest", "NetworkConnectIP4"]
| filter(
HttpPath = /\/api\/v1\/(totp\/user-backup-code|.*archiving.*cloud-server-test|.*maintenance|configuration\/users)/ or
HttpPath = /[;|&`\$(){}\[\]]/ or
HttpPath = /%(3[Bb]|7[Cc]|60|2[Ee]2[Ee])/ or
HttpPath = /(wget|curl|bash|python3?|perl|ncat|mkfifo|chmod)[^a-zA-Z]/
)
| HttpResponseCode in [200, 201, 204]
| groupby([RemoteAddressIP4, HttpPath, HttpMethod, HttpResponseCode, aid, ComputerName])
| rename RemoteAddressIP4 as src_ip, ComputerName as endpoint_hostname
| sort(field=_count, order=desc)CrowdStrike Falcon Next-Gen SIEM query detecting CVE-2024-21887 exploitation by correlating HTTP requests to vulnerable Ivanti API paths with command injection payload patterns and successful HTTP response codes on monitored endpoints.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate Ivanti API interactions from authorized management workstations with Falcon sensor
- Vulnerability scanning or patch management tools monitored by Falcon
- Ivanti-native maintenance scripts running on managed hosts
- Authorized red team exercises with Falcon sensor deployed on target appliances
Other platforms for CVE-2024-21887
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2024-21887 Command Injection via TOTP Backup Code Endpoint
Expected signal: HTTP POST to /api/v1/totp/user-backup-code/ with shell metacharacters in request body, followed by file creation event in /tmp/ visible in process audit logs
- Test 2CVE-2023-46805 + CVE-2024-21887 Full Chain — Unauthenticated RCE
Expected signal: Sequence of: GET to /dana-na/auth/saml-sso.cgi with path traversal, 200 response with session cookie, then PUT to /api/v1/system/maintenance/archiving/cloud-server-test-connection with shell metacharacters in host field, followed by outbound HTTP callback from appliance
- Test 3Post-Exploitation Web Shell Deployment Simulation
Expected signal: File creation event at /home/webserver/htdocs/dana-na/auth/ for a new .pl or .py file; subsequent GET request to that file path with query parameters (cmd=, exec=, c=); process spawning by the web server daemon executing perl or python
- Test 4Credential Harvesting Simulation via Ivanti Config API
Expected signal: GET requests to Ivanti configuration API endpoints for user-roles and authentication server configuration; successful 200 responses containing credential or LDAP bind DN data
References (5)
- https://nvd.nist.gov/vuln/detail/CVE-2024-21887
- https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways
- https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b
Unlock Pro Content
Get the full detection package for CVE-2024-21887 including response playbook, investigation guide, and atomic red team tests.