Attackers injected novel DSLog backdoor into 670 vulnerable Ivanti devices (CVE-2024-21893)
Hackers are actively exploiting a vulnerability (CVE-2024-21893) in Ivanti Connect Secure, Policy Secure and Neurons for ZTA to inject a “previously unknown and interesting backdoor” dubbed DSLog.
CVE-2024-21893 patches and exploitation
Ivanti disclosed CVE-2024-21893 – a server-side request forgery (SSRF) vulnerability in the SAML component of Ivanti Connect Secure, Policy Secure and Neurons for ZTA – in late January, when it issued patches for affected devices.
At the same time, the company also fixed CVE-2024-21888, a privilege escalation vulnerability, and noted that the patches also fix CVE-2023-46805 and CVE-2024-21887, two zero-day flaws exploited by attackers in December 2023.
On February 2, Rapid7 released a technical analysis for CVE-2024-21893 with a functional proof-of-concept (PoC) exploit, and the Shadowserver Foundation observed attackers attempting to exploit of the vulnerability the day after.
CVE-2024-21893 exploited to install backdoor
The Orange Cyberdefense CERT also observed attacks targeting this SAML vulnerability just a few hours after the PoC had been released.
“On the first hour of February 3rd, Orange Cyberdefense analyzed a snapshot and logs of a compromised appliance. This appliance had the initial XML mitigation (API endpoints blocked) in place but not yet the second mitigation (or patch),” the team explained.
“After decrypting the snapshot, analysis started seeking to identify any recent pattern that might explain how the appliance has been compromised. Subsequently Orange Cyberdefense discovered a backdoor that was injected into the appliance’s code base.”
Withing hours, the team detected 670 compromised Ivanti servers.
“20% of these appliances were also compromised during the first campaign. However, the remaining ones had the initial XML mitigation applied (so were not vulnerable to CVE-2023-46805 & CVE-2024-21887) but lacked the second mitigation or patches,” the researchers added.
The DSLog backdoor
The novel backdoor was injected in the “DSLog.pm” Perl script, a command normally used to log events on Ivanti devices.
The team found that unlike the backdoors/webshells deployed in previous attacks agains Ivanti devices, the DSLog backdoor uses a unique hash per appliance, which cannot be used to contact the same backdoor implemented in another device.
This makes it impossible to detect the presence of the backdoor by trying to contact it, so defenders should check whether their device have been compromised by checking for the presence of artifacts (.txt files) created by the attacker when triggering the SSRF vulnerability.