关联漏洞
标题:
Ivanti ICS 授权问题漏洞
(CVE-2023-46805)
描述:Ivanti ICS是美国Ivanti公司的一代远程安全访问产品。 Ivanti ICS 9.x版本、22.x版本、Ivanti Policy Secure存在授权问题漏洞,该漏洞源于 Web 组件中存在身份验证绕过漏洞。攻击者利用该漏洞可以绕过控制检查来访问受限资源。
描述
CVE-2023-46805 scanner for possible vulnerable Ivanti Connect Secure appliances by country using Shodan.
介绍
# CVE-2023-46805 Scanner
CVE-2023-46805 Scanner for *possible* vulnerable Ivanti Connect Secure appliances by country using Shodan.
Script version: 1.3
Updated with the recent blog post made by [Assetnote](https://www.assetnote.io/resources/research/high-signal-detection-and-exploitation-of-ivantis-pulse-connect-secure-auth-bypass-rce)
⚠️ This script is for defensive purposes and should be used by cybersecurity professionals to identify possible vulnerable ICS appliances and make contact as soon as possible with the affected organizations.
If one of the IPs appeared as a *Vulnerable ICS Appliance* please apply the mitigations developed by [Ivanti](https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US) also, it's important to check the integrity of your files with the tool [Integrity Checker Tool](https://forums.ivanti.com/s/article/KB44755?language=en_US)
# Help
To use the script, you should have installed the Shodan Python library:
```
pip install shodan
```
```
usage: CVE-2023-46805 Scanner [-h] -c COUNTRY
Quick scanner for possible vulnerable Ivanti Connect Secure appliances by country using Shodan.
options:
-h, --help show this help message and exit
-c COUNTRY, --country COUNTRY
Country code (like CL, US, CA, BR)
Please make sure that you are using a valid Shodan API Key
```
(It's possible to add more than one country to the scan followed by a `,` without spaces)
Example: `python ivanti.py -c US,BR,ES`
# Shodan
Shodan Query: `http.favicon.hash:-1439222863 country:country_code`
# Vulnerability Intelligence
Please refer to the following CVEs for more information:
### [CVE-2023-46805](https://nvd.nist.gov/vuln/detail/CVE-2023-46805)
- CVSS: **8.2**
- Impact: **Authentication Bypass**
- Description: *Allows a remote attacker to access restricted resources by bypassing control checks.*
### [CVE-2024-21887](https://nvd.nist.gov/vuln/detail/CVE-2024-21887)
- CVSS: **9.1**
- Impact: **Command Injection**
- Description: *Allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.*
Based on the blog post by watchTowr Labs!:
[Welcome To 2024, The SSLVPN Chaos Continues - Ivanti CVE-2023-46805 & CVE-2024-21887](https://labs.watchtowr.com/welcome-to-2024-the-sslvpn-chaos-continues-ivanti-cve-2023-46805-cve-2024-21887/)
At the moment, the vulnerabilites are being exploited massively:
[Volexity - Ivanti Connect Secure VPN Exploitation Goes Global](https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/)
By: yoryio
文件快照
[4.0K] /data/pocs/a0b0ab78119dbc7e49f0b88471de02761cb07ae2
├── [2.9K] CVE-2023-46805.py
└── [2.7K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。