CVE-2024-22024 Vulnerability

What is CVE-2024-22024 vulnerability?

CVE-2024-22024 is an XXE (XML External Entity) flaw in the SAML (Security Assertion Markup Language) authentication component of Ivanti gateways.

The vulnerability exists because the application processes XML input from user-supplied requests without properly disabling external entity references. Attackers can exploit this by embedding a malicious XML reference (an "entity") in a SAML request. When the server processes this request, it automatically expands the entity, which can allow the attacker to read arbitrary files on the system or trick the server into authenticating them without valid credentials.

It is rated High (CVSS 8.3) because it can be exploited remotely without any user interaction or prior authentication.

When was it discovered?

The vulnerability was publicly disclosed by Ivanti on February 8, 2024. It was discovered during Ivanti's internal code review and testing, triggered by the intense scrutiny following the earlier exploitation of CVE-2023-46805 and CVE-2024-21887. It was also independently discovered and reported by security researchers at watchTowr.

Affected products & versions

If you are running an unpatched version of Ivanti Connect Secure, Policy Secure, or ZTA, you are likely vulnerable.

CVE-2024-22024 technical description

The vulnerability specifically targets the SAML endpoints on the appliance, such as /dana-na/auth/saml-sso.cgi or /dana-ws/saml.ws.

In a standard XXE attack, the attacker injects a declaration defining an external entity that points to a sensitive file (e.g., /etc/passwd or a configuration file).

In the case of CVE-2024-22024, the vulnerable XML parser processes this entity. While full details of the exact file read capabilities vary by configuration, the primary risk is that the successful parsing of this malicious XML allows the attacker to trick the SAML component into granting access to restricted resources that should only be available to authenticated users.

Crucially, this vulnerability bypassed the initial XML mitigations released by Ivanti in late January 2024, necessitating a new patch.

Tactics, techniques & procedures (TTPs)

Although widespread exploitation was not immediately observed at the moment of disclosure, the mechanics are similar to previous Ivanti exploits.

• Reconnaissance: Attackers scan for the presence of the /dana-na/ login page and check the version number or specific HTTP response headers to identify unpatched appliances.

• Exploitation: The attacker sends a crafted HTTP POST request containing a malicious SAMLRequest payload. This payload includes the XXE definition.

• Impact:

• Information Disclosure: Reading local files from the appliance file system.

• Auth Bypass: Gaining access to internal "restricted resources" which can potentially lead to further compromise or lateral movement.

• DoS: In some scenarios, XXE can be used to trigger a Denial of Service (the "Billion Laughs" attack), crashing the SAML service.

Indicators of compromise

Detection involves looking for anomalies in web logs and system behavior.

• Web Logs: Look for HTTP POST requests to SAML endpoints (/dana-na/auth/saml-sso.cgi, /dana-ws/saml.ws) that originated from unknown or suspicious IP addresses.

• Payload Signatures: If full request logging is enabled, search for , ENTITY, or SYSTEM tags within the decoded SAMLRequest parameter.

• Error Logs: Frequent "SAML processing failed" errors or crashes of the saml-server process (Event ID ERR31903) may indicate failed exploitation attempts.

Known proof-of-concepts & exploits

Proof-of-Concept (PoC) exploits were publicly released shortly after disclosure. Researchers at watchTowr demonstrated how the vulnerability could be trivially exploited to access internal endpoints.

While not as immediately devastating as the Command Injection flaws (CVE-2024-21887), the availability of PoC code makes it a dangerous tool for attackers looking to regain access to networks where they were previously evicted.

How to detect CVE-2024-22024 vulnerability?

• Version Check: The most reliable method is to verify the specific build number of your Ivanti appliance against the "Fixed Versions" table above.

• Integrity Checker Tool (ICT): Run Ivanti's external Integrity Checker Tool. While primarily designed for file modifications, it can help identify artifacts left by attackers who may have chained this exploit with others.

• Managed Detection: Use a service like Huntress Managed EDR to monitor for suspicious post-exploitation activity, such as unexpected process spawning or webshells, which are common follow-up actions after an authentication bypass.

Impact & risk of CVE-2024-22024 vulnerability

The risk is High.

For many organizations, the Ivanti VPN appliance is the "front door" to the corporate network. An authentication bypass here negates passwords and Multi-Factor Authentication (MFA). Even if this specific CVE "only" allows access to restricted resources, it is often a stepping stone that allows attackers to reach internal login pages, steal sessions, or leverage other internal vulnerabilities to gain full control.

Mitigation & remediation strategies

• Patch Immediately: Apply the specific patch released on February 8, 2024 (or later). Note that patches released before this date do not fix CVE-2024-22024.

• Apply Mitigations: If you cannot patch immediately, apply the updated XML mitigation XML file provided by Ivanti via the download portal. This filter blocks the specific attack vector.

• Reduce Attack Surface: Ensure your VPN interface is not exposed to the entire internet if possible, restricting access to known geographies or management IP ranges.