Detect Ivanti Connect Secure Authenticated Command Injection (CVE-2024-21887) in Sumo Logic CSE
CVE-2024-21887 is a critical authenticated command injection vulnerability (CVSS 9.1) in Ivanti Connect Secure and Policy Secure web components. When chained with the authentication bypass CVE-2023-46805, unauthenticated remote attackers can execute arbitrary commands on the appliance as root. Nation-state threat actors (UNC5221) exploited this as a zero-day to deploy LIGHTWIRE, WIREFIRE, and FRAMESTING web shells and conduct credential harvesting and lateral movement. CISA added this to the KEV catalog in January 2024.
MITRE ATT&CK
Sumo Detection Query
_sourceCategory=network/proxy OR _sourceCategory=web/access
| parse regex "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) .* \"(?<method>[A-Z]+) (?<uri>[^ ]+) HTTP/[\d\.]+\" (?<status>\d{3})"
| where uri matches "/api/v1/*" or uri matches "/dana-ws/*" or uri matches "/dana-admin/*" or uri matches "/dana-na/*"
| eval injection_flag = if(uri matches "*totp/user-backup-code*", "known_vuln_endpoint",
if(uri matches "*archiving/cloud-server-test*", "known_vuln_endpoint",
if(uri matches "*%3B*" or uri matches "*%7C*" or uri matches "*%60*", "url_encoded_injection",
if(uri matches "*wget*" or uri matches "*curl*" or uri matches "*bash*" or uri matches "*chmod*", "cmd_in_uri", "suspicious_api"))))
| where injection_flag != "suspicious_api" or (method in ("POST", "PUT") and status in ("200", "201", "204"))
| count as request_count by src_ip, uri, method, status, injection_flag
| where request_count >= 1
| sort by request_count descSumo Logic query detecting CVE-2024-21887 exploitation by parsing web access logs for requests to known vulnerable Ivanti API endpoints, URL-encoded shell metacharacters, and command injection strings in URI paths.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate management API calls from authorized Ivanti administrator accounts
- Internal health monitoring agents polling API endpoints
- Scheduled automation scripts that interact with Ivanti maintenance APIs
- Red team or penetration testing activities during authorized assessment windows
Other platforms for CVE-2024-21887
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2024-21887 Command Injection via TOTP Backup Code Endpoint
Expected signal: HTTP POST to /api/v1/totp/user-backup-code/ with shell metacharacters in request body, followed by file creation event in /tmp/ visible in process audit logs
- Test 2CVE-2023-46805 + CVE-2024-21887 Full Chain — Unauthenticated RCE
Expected signal: Sequence of: GET to /dana-na/auth/saml-sso.cgi with path traversal, 200 response with session cookie, then PUT to /api/v1/system/maintenance/archiving/cloud-server-test-connection with shell metacharacters in host field, followed by outbound HTTP callback from appliance
- Test 3Post-Exploitation Web Shell Deployment Simulation
Expected signal: File creation event at /home/webserver/htdocs/dana-na/auth/ for a new .pl or .py file; subsequent GET request to that file path with query parameters (cmd=, exec=, c=); process spawning by the web server daemon executing perl or python
- Test 4Credential Harvesting Simulation via Ivanti Config API
Expected signal: GET requests to Ivanti configuration API endpoints for user-roles and authentication server configuration; successful 200 responses containing credential or LDAP bind DN data
References (5)
- https://nvd.nist.gov/vuln/detail/CVE-2024-21887
- https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways
- https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b
Unlock Pro Content
Get the full detection package for CVE-2024-21887 including response playbook, investigation guide, and atomic red team tests.