Ivanti VTM Administrator Account Creation via CVE-2024-7593
Unauthenticated remote attackers are exploiting CVE-2024-7593 in Ivanti Virtual Traffic Manager (vTM) to bypass authentication and create new administrator accounts, potentially leading to full system compromise.
CVE-2024-7593 is an authentication bypass vulnerability affecting Ivanti Virtual Traffic Manager (vTM), a widely used application delivery controller. This vulnerability allows unauthenticated remote attackers to bypass the admin panel's authentication mechanisms and create new administrator accounts. Exploitation of this flaw enables attackers to gain complete control over the Ivanti vTM instance, potentially disrupting services, intercepting traffic, and compromising sensitive data. Public proof-of-concept exploit code exists, increasing the likelihood of widespread exploitation. Successful exploitation can lead to a complete compromise of the vTM instance and the services it manages. The targets are organizations using vulnerable versions of Ivanti vTM, which are primarily web-facing applications requiring load balancing and traffic management.
Attack Chain
- An unauthenticated attacker sends a crafted HTTP request to the Ivanti vTM admin panel, exploiting CVE-2024-7593 to bypass authentication.
- The attacker leverages the authentication bypass to gain unauthorized access to the vTM admin interface.
- The attacker uses the exposed administrative functionality to create a new user account with "admin" privileges via the 'adduser' operation.
- The new administrator account lacks expected authentication details in the vTM audit logs, specifically showing IP="!!ABSENT!!".
- The attacker logs in to the Ivanti vTM admin panel using the newly created administrator account.
- Once authenticated, the attacker configures the vTM instance to redirect traffic to attacker-controlled servers.
- The attacker intercepts sensitive data, including credentials and session tokens, from the redirected traffic.
- The attacker uses the compromised data to gain access to backend systems and escalate their access within the network, potentially leading to data exfiltration or ransomware deployment.
Impact
Successful exploitation of CVE-2024-7593 allows attackers to gain full administrative control over affected Ivanti vTM instances. This can result in service disruption, data interception, and complete compromise of the applications managed by the vTM. Organizations in various sectors utilizing Ivanti vTM for critical application delivery are at risk. The creation of rogue administrator accounts can lead to unauthorized configuration changes, potentially impacting hundreds or thousands of users accessing web applications. A successful attack can lead to significant financial losses, reputational damage, and regulatory penalties.
Recommendation
- Deploy the Sigma rule
Ivanti VTM New Account Creationto detect unauthorized administrator account creation attempts based on the absence of IP addresses in the audit logs. - Ensure Ivanti vTM audit logs are properly ingested and monitored, focusing on events with
OPERATION="adduser"andMODGROUP="admin"as described in the detection rule. - Review existing Ivanti vTM accounts and configurations for any unauthorized changes or additions that may indicate prior compromise.
- Apply the security patches provided by Ivanti to address CVE-2024-7593 on all affected vTM instances. Refer to the Ivanti security advisory for patch availability.
- Implement network segmentation and access controls to limit the potential impact of a compromised vTM instance, mitigating lateral movement as described in the attack chain.
- Investigate any alerts generated by the
Ivanti VTM New Account CreationSigma rule, correlating with other security events to identify potentially compromised systems.
Detection coverage 2
Ivanti VTM New Account Creation
criticalDetects the creation of new administrator accounts without a source IP address, indicating potential exploitation of CVE-2024-7593.
Ivanti VTM Suspicious Admin Account Creation
highDetects creation of administrator accounts with suspicious usernames potentially indicative of CVE-2024-7593 exploitation.
Detection queries are available on the platform. Get full rules →