Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability Allowing Remote Code Execution

A stack-based buffer overflow vulnerability has been identified in Ivanti Connect Secure VPN appliances, as well as in Ivanti Policy Secure and Ivanti Neurons for ZTA gateways. This vulnerability is present in several different versions and can be exploited by a remote, unauthenticated attacker to achieve remote code execution. The root cause of the vulnerability lies in improper handling of the 'clientCapabilities' parameter, which allows for an out-of-bounds write that can be leveraged to execute arbitrary commands on the affected system.

Impact

Exploitation of this vulnerability leads to unauthorized remote code execution on the affected appliance, with the executed commands running under the privileges of a non-root user.

Reproduction

The vulnerability can be reproduced by sending an HTTP request to the Ivanti Connect Secure appliance with a 'clientCapabilities' block that exceeds 256 bytes. This can be done using a crafted request that takes advantage of the buffer overflow in the 'web' binary, which handles incoming HTTP requests and VPN protocols. Once the buffer overflow occurs, the exploitation process involves overwriting the return address on the stack with a pointer to a controlled payload that executes a command on the system.

Remediation

Users are advised to upgrade to Ivanti Connect Secure version 22.7R2.5, Ivanti Policy Secure version 22.7R1.3, or Ivanti Neurons for ZTA Gateways version 22.8R2. For Ivanti Connect Secure, a factory reset is recommended before applying the update. After updating, continue to monitor the Integrity Checker Tool (ICT) for signs of compromise.