Title: Exploitation of Ivanti SSRF Flaw Allows Hackers to Install “DSLog Backdoor”
Introduction: Ivanti Connect Secure, a software solution, has been found to have a previously unknown SSRF vulnerability. This flaw in the SAML module of the software allows unauthenticated threat actors to gain access to unrestricted resources. The severity of this vulnerability is classified as 8.2 (High) and has been assigned CVE-2024-21893.
Exploitation: Threat actors have been taking advantage of this vulnerability to inject a backdoor called the “DSLog backdoor” onto vulnerable devices. Recent reports suggest that hackers have successfully exploited the vulnerability in the wild.
Attack Method: The vulnerability is exploited by sending an unauthenticated SAML authentication request that includes an encoded command using the “RetrievalMethod URI.” The request contains a base64 encoded command alongside the URI.
Backdoor Installation: Once the initial command is executed, threat actors attempt to install the backdoor on the targeted device using the same method of URL and Base64 encoding. The backdoor command is executed on the compromised device and inserted into an existing Perl file called “DSLog.pm,” responsible for logging authenticated web and system requests.
Indicators of Compromise: Host-based indicators include the presence of files such as DSLog.pm, index.txt, and random character index files in specific directories. Network-based indicators involve the IP address 159.65.123.122, which has been associated with extensive exploitation activity.
Conclusion: Ivanti Connect Secure has been found to have a serious SSRF vulnerability that allows threat actors to exploit the SAML module and gain unauthorized access to resources. Hackers have already utilized this vulnerability to install the DSLog backdoor on vulnerable devices. Users and organizations using this software should update their systems and apply necessary security measures to protect against potential attacks.
Follow us on LinkedIn and Twitter to stay updated on the latest cybersecurity news, whitepapers, and infographics.
