CVE-2024-22024: 
Ivanti Connect Secure vulnerability analysis and mitigation

An XML external entity (XXE) vulnerability, identified as CVE-2024-22024, was discovered in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x), and ZTA gateways. This high-severity vulnerability allows attackers to access certain restricted resources without authentication. The vulnerability was initially discovered and responsibly disclosed by WatchTowr Labs on February 2, 2024, and was publicly disclosed by Ivanti on February 8, 2024 (Arctic Wolf, WatchTowr Labs).

The vulnerability is classified as an XML External Entity (XXE) injection flaw in the SAML component, specifically affecting the /dana-na/auth/saml-sso.cgi endpoint via the SAMLRequest parameter. The vulnerability has been assigned a CVSS v3.1 base score of 8.3 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

The vulnerability allows attackers to perform various malicious actions including Denial of Service (DOS), Local File Read, and Server-Side Request Forgery (SSRF). The SSRF capabilities are particularly concerning as they could potentially lead to command execution/injection through access to internal Python API servers running on various local ports (WatchTowr Labs).

Ivanti has released fixed versions for affected products: Connect Secure (9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3, 22.6R2.2), Policy Secure (9.1R17.3, 9.1R18.4, 22.5R1.2), and ZTA (22.5R1.6, 22.6R1.5, 22.6R1.7). Organizations that have applied the patch released on January 31st or February 1st and completed a factory reset of their appliance do not need to perform another factory reset (Arctic Wolf).