{"id":1135576,"date":"2024-02-06T06:50:26","date_gmt":"2024-02-06T08:50:26","guid":{"rendered":"https:\/\/teknomers.com\/fr\/une-recente-faille-ssrf-dans-les-produits-ivanti-vpn-est-exploitee-en-masse\/"},"modified":"2024-02-06T06:50:31","modified_gmt":"2024-02-06T08:50:31","slug":"une-recente-faille-ssrf-dans-les-produits-ivanti-vpn-est-exploitee-en-masse","status":"publish","type":"post","link":"https:\/\/teknomers.com\/fr\/une-recente-faille-ssrf-dans-les-produits-ivanti-vpn-est-exploitee-en-masse\/","title":{"rendered":"Une r\u00e9cente faille SSRF dans les produits Ivanti VPN est exploit\u00e9e en masse"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">06 f\u00e9vrier 2024<\/span><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">R\u00e9daction<\/span><\/span><span class=\"p-tags\">Cybers\u00e9curit\u00e9 \/ Vuln\u00e9rabilit\u00e9<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a rel=\"nofollow\" href=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2024\/02\/Une-recente-faille-SSRF-dans-les-produits-Ivanti-VPN-est.jpg\" style=\"clear: left; display: block; float: left; text-align: center;\"><\/a><\/div>\n<p>Une falsification de requ\u00eate c\u00f4t\u00e9 serveur r\u00e9cemment r\u00e9v\u00e9l\u00e9e (<a rel=\"nofollow noopener\" href=\"https:\/\/owasp.org\/www-community\/attacks\/Server_Side_Request_Forgery\" target=\"_blank\">SSRF<\/a>) la vuln\u00e9rabilit\u00e9 affectant les produits Ivanti Connect Secure et Policy Secure a \u00e9t\u00e9 exploit\u00e9e \u00e0 grande \u00e9chelle.<\/p>\n<p>La Fondation Shadowserver <a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/Shadowserver\/status\/1754145361029960189\" target=\"_blank\">dit<\/a> elle a observ\u00e9 des tentatives d&#8217;exploitation provenant de plus de 170 adresses IP uniques visant, entre autres, \u00e0 \u00e9tablir un reverse shell.<\/p>\n<p>Les attaques exploitent CVE-2024-21893 (score CVSS : 8,2), une faille SSRF dans le composant SAML d&#8217;Ivanti Connect Secure, Policy Secure et Neurons pour ZTA qui permet \u00e0 un attaquant d&#8217;acc\u00e9der \u00e0 des ressources autrement restreintes sans authentification.<\/p>\n<p>Ivanti avait pr\u00e9c\u00e9demment r\u00e9v\u00e9l\u00e9 que la vuln\u00e9rabilit\u00e9 avait \u00e9t\u00e9 exploit\u00e9e dans des attaques cibl\u00e9es visant un \u00ab nombre limit\u00e9 de clients \u00bb, mais a averti que le statu quo pourrait changer apr\u00e8s la divulgation publique.<\/p>\n<div class=\"check_two clear babsi\"><center class=\"cf\"><a rel=\"nofollow noopener\" href=\"https:\/\/thn.news\/tl_d1\" target=\"_blank\" title=\"Cybersecurity\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"La cyber-s\u00e9curit\u00e9\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2024\/01\/Les-attaques-DDoS-contre-le-secteur-des-services-environnementaux-augmentent.gif\" width=\"727\" height=\"90\"\/><\/a><\/center><\/div>\n<p>C&#8217;est exactement ce qui semble s&#8217;\u00eatre produit, surtout apr\u00e8s la <a rel=\"nofollow noopener\" href=\"https:\/\/attackerkb.com\/topics\/FGlK1TVnB2\/cve-2024-21893\/rapid7-analysis\" target=\"_blank\">lib\u00e9rer<\/a> d&#8217;un exploit de preuve de concept (PoC) par la soci\u00e9t\u00e9 de cybers\u00e9curit\u00e9 Rapid7 la semaine derni\u00e8re.<\/p>\n<p>Le PoC implique la cr\u00e9ation d&#8217;une cha\u00eene d&#8217;exploitation combinant CVE-2024-21893 avec CVE-2024-21887, une faille d&#8217;injection de commandes pr\u00e9c\u00e9demment corrig\u00e9e, pour permettre l&#8217;ex\u00e9cution de code \u00e0 distance non authentifi\u00e9.<\/p>\n<p>Il convient de noter ici que CVE-2024-21893 est un alias pour <a rel=\"nofollow noopener\" href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-36661\" target=\"_blank\">CVE-2023-36661<\/a> (score CVSS : 7,5), une vuln\u00e9rabilit\u00e9 SSRF pr\u00e9sente dans la biblioth\u00e8que open source Shibboleth XMLTooling.  Ce probl\u00e8me a \u00e9t\u00e9 corrig\u00e9 par les responsables en juin 2023 avec la sortie de <a rel=\"nofollow noopener\" href=\"https:\/\/shibboleth.net\/community\/advisories\/secadv_20230612.txt\" target=\"_blank\">version 3.2.4<\/a>. <\/p>\n<p>Will Dormann, chercheur en s\u00e9curit\u00e9 <a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/wdormann\/status\/1754505384138604778\" target=\"_blank\">plus loin<\/a> a soulign\u00e9 d&#8217;autres composants open source obsol\u00e8tes utilis\u00e9s par les appliances Ivanti VPN, tels que curl 7.19.7, openssl 1.0.2n-fips, perl 5.6.1, psql 9.6.14, cabextract 0.5, ssh 5.3p1 et d\u00e9compressez 6.00, ouvrant ainsi la porte \u00e0 davantage d&#8217;attaques.<\/p>\n<p>Cette \u00e9volution intervient alors que les acteurs malveillants ont trouv\u00e9 un moyen de contourner l&#8217;att\u00e9nuation initiale d&#8217;Ivanti, ce qui a incit\u00e9 la soci\u00e9t\u00e9 bas\u00e9e dans l&#8217;Utah \u00e0 publier un deuxi\u00e8me fichier d&#8217;att\u00e9nuation.  Depuis le 1er f\u00e9vrier 2024, la soci\u00e9t\u00e9 a commenc\u00e9 \u00e0 publier des correctifs officiels pour corriger toutes les vuln\u00e9rabilit\u00e9s.<\/p>\n<div class=\"check_two clear babsi\"><center class=\"cf\"><a rel=\"nofollow noopener\" href=\"https:\/\/thn.news\/tcepdHrZ\" target=\"_blank\" title=\"Cybersecurity\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"La cyber-s\u00e9curit\u00e9\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2024\/02\/Avertissement-de-nouveaux-logiciels-malveillants-apparaissent-lors-dattaques-exploitant-les.png\" width=\"727\" height=\"90\"\/><\/a><\/center><\/div>\n<p>La semaine derni\u00e8re, Mandiant, propri\u00e9t\u00e9 de Google, a r\u00e9v\u00e9l\u00e9 que plusieurs acteurs malveillants exploitaient CVE-2023-46805 et CVE-2024-21887 pour d\u00e9ployer une gamme de shells Web personnalis\u00e9s suivis comme BUSHWALK, CHAINLINE, FRAMESTING et LIGHTWIRE.<\/p>\n<p>Unit\u00e9 42 de r\u00e9seaux de Palo Alto <a rel=\"nofollow noopener\" href=\"https:\/\/unit42.paloaltonetworks.com\/threat-brief-ivanti-cve-2023-46805-cve-2024-21887\/\" target=\"_blank\">dit<\/a> il a observ\u00e9 28\u00a0474 instances expos\u00e9es d&#8217;Ivanti Connect Secure et Policy Secure dans 145 pays entre le 26 et le 30 janvier 2024, avec 610 instances compromises d\u00e9tect\u00e9es dans 44 pays au 23 janvier 2024.<\/p>\n<p><\/p>\n<div class=\"cf note-b\">Vous avez trouv\u00e9 cet article int\u00e9ressant ?  Suivez-nous sur <a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/thehackersnews\" target=\"_blank\">Twitter <i class=\"icon-font icon-twitter\">\uf099<\/i><\/a>  et <a rel=\"nofollow noopener\" href=\"https:\/\/www.linkedin.com\/company\/thehackernews\/\" target=\"_blank\">LinkedIn<\/a> pour lire plus de contenu exclusif que nous publions.<\/div>\n<\/div>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><br \/>\n<br \/><br \/>\n<br \/><a href=\"https:\/\/thehackernews.com\/2024\/02\/recently-disclosed-ssrf-flaw-in-ivanti.html\" rel=\"nofollow noopener\" target=\"_blank\">ttn-fr-57<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\ue80206 f\u00e9vrier 2024\ue804R\u00e9dactionCybers\u00e9curit\u00e9 \/ Vuln\u00e9rabilit\u00e9 Une falsification de requ\u00eate c\u00f4t\u00e9 serveur r\u00e9cemment r\u00e9v\u00e9l\u00e9e (SSRF) la vuln\u00e9rabilit\u00e9 affectant les produits Ivanti Connect Secure et Policy Secure a \u00e9t\u00e9 exploit\u00e9e \u00e0 grande \u00e9chelle. La Fondation Shadowserver dit elle a observ\u00e9 des tentatives d&#8217;exploitation provenant de plus de 170 adresses IP uniques visant, entre autres, \u00e0 \u00e9tablir un [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1135577,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[200292,4168,4165,4161,200267,429,40,36372,9048,175748,4159,4171,65,200271,242,200268,200269,200270,2726,27730,128318,4172,4169,228416,196,4166,27977,4164],"class_list":["post-1135576","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technologie","tag-actualites-sur-la-cybersecurite","tag-comment-pirater","tag-cyber-attaques","tag-cyber-mises-a-jour","tag-cyberactualites","tag-dans","tag-est","tag-exploitee","tag-faille","tag-ivanti","tag-lactualite-de-la-cybersecurite-aujourdhui","tag-lactualite-des-hackers","tag-les","tag-logiciel-malveillant-rancongiciel","tag-masse","tag-mises-a-jour-sur-la-cybersecurite","tag-nouvelles-des-pirates","tag-nouvelles-sur-le-piratage","tag-produits","tag-recente","tag-securite-des-informations","tag-securite-informatique","tag-securite-internet","tag-ssrf","tag-une","tag-violation-de-donnees","tag-vpn","tag-vulnerabilite-logicielle"],"_links":{"self":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/1135576","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/comments?post=1135576"}],"version-history":[{"count":0,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/1135576\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media\/1135577"}],"wp:attachment":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media?parent=1135576"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/categories?post=1135576"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/tags?post=1135576"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}