{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/ivanti-virtual-traffic-manager/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2024-7593"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Ivanti Virtual Traffic Manager"],"_cs_severities":["critical"],"_cs_tags":["ivanti","cve-2024-7593","authentication-bypass","account-creation"],"_cs_type":"advisory","_cs_vendors":["Ivanti"],"content_html":"\u003cp\u003eCVE-2024-7593 is an authentication bypass vulnerability affecting Ivanti Virtual Traffic Manager (vTM), a widely used application delivery controller. This vulnerability allows unauthenticated remote attackers to bypass the admin panel's authentication mechanisms and create new administrator accounts. Exploitation of this flaw enables attackers to gain complete control over the Ivanti vTM instance, potentially disrupting services, intercepting traffic, and compromising sensitive data. Public proof-of-concept exploit code exists, increasing the likelihood of widespread exploitation. Successful exploitation can lead to a complete compromise of the vTM instance and the services it manages. The targets are organizations using vulnerable versions of Ivanti vTM, which are primarily web-facing applications requiring load balancing and traffic management.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a crafted HTTP request to the Ivanti vTM admin panel, exploiting CVE-2024-7593 to bypass authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the authentication bypass to gain unauthorized access to the vTM admin interface.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the exposed administrative functionality to create a new user account with \u0026quot;admin\u0026quot; privileges via the 'adduser' operation.\u003c/li\u003e\n\u003cli\u003eThe new administrator account lacks expected authentication details in the vTM audit logs, specifically showing IP=\u0026quot;!!ABSENT!!\u0026quot;.\u003c/li\u003e\n\u003cli\u003eThe attacker logs in to the Ivanti vTM admin panel using the newly created administrator account.\u003c/li\u003e\n\u003cli\u003eOnce authenticated, the attacker configures the vTM instance to redirect traffic to attacker-controlled servers.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts sensitive data, including credentials and session tokens, from the redirected traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised data to gain access to backend systems and escalate their access within the network, potentially leading to data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2024-7593 allows attackers to gain full administrative control over affected Ivanti vTM instances. This can result in service disruption, data interception, and complete compromise of the applications managed by the vTM. Organizations in various sectors utilizing Ivanti vTM for critical application delivery are at risk. The creation of rogue administrator accounts can lead to unauthorized configuration changes, potentially impacting hundreds or thousands of users accessing web applications. A successful attack can lead to significant financial losses, reputational damage, and regulatory penalties.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eIvanti VTM New Account Creation\u003c/code\u003e to detect unauthorized administrator account creation attempts based on the absence of IP addresses in the audit logs.\u003c/li\u003e\n\u003cli\u003eEnsure Ivanti vTM audit logs are properly ingested and monitored, focusing on events with \u003ccode\u003eOPERATION=\u0026quot;adduser\u0026quot;\u003c/code\u003e and \u003ccode\u003eMODGROUP=\u0026quot;admin\u0026quot;\u003c/code\u003e as described in the detection rule.\u003c/li\u003e\n\u003cli\u003eReview existing Ivanti vTM accounts and configurations for any unauthorized changes or additions that may indicate prior compromise.\u003c/li\u003e\n\u003cli\u003eApply the security patches provided by Ivanti to address CVE-2024-7593 on all affected vTM instances. Refer to the Ivanti security advisory for patch availability.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and access controls to limit the potential impact of a compromised vTM instance, mitigating lateral movement as described in the attack chain.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eIvanti VTM New Account Creation\u003c/code\u003e Sigma rule, correlating with other security events to identify potentially compromised systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T10:00:00Z","date_published":"2024-07-03T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-07-ivanti-vtm-account-creation/","summary":"Unauthenticated remote attackers are exploiting CVE-2024-7593 in Ivanti Virtual Traffic Manager (vTM) to bypass authentication and create new administrator accounts, potentially leading to full system compromise.","title":"Ivanti VTM Administrator Account Creation via CVE-2024-7593","url":"https://feed.craftedsignal.io/briefs/2024-07-ivanti-vtm-account-creation/"}],"language":"en","title":"CraftedSignal Threat Feed - Ivanti Virtual Traffic Manager","version":"https://jsonfeed.org/version/1.1"}