Security News > 2024 > February > Attackers injected novel DSLog backdoor into 670 vulnerable Ivanti devices (CVE-2024-21893)

Attackers injected novel DSLog backdoor into 670 vulnerable Ivanti devices (CVE-2024-21893)
2024-02-13 10:58

Hackers are actively exploiting a vulnerability in Ivanti Connect Secure, Policy Secure and Neurons for ZTA to inject a "Previously unknown and interesting backdoor" dubbed DSLog.

Ivanti disclosed CVE-2024-21893 - a server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure, Policy Secure and Neurons for ZTA - in late January, when it issued patches for affected devices.

"After decrypting the snapshot, analysis started seeking to identify any recent pattern that might explain how the appliance has been compromised. Subsequently Orange Cyberdefense discovered a backdoor that was injected into the appliance's code base."

Withing hours, the team detected 670 compromised Ivanti servers.

The novel backdoor was injected in the "DSLog.pm" Perl script, a command normally used to log events on Ivanti devices.

The team found that unlike the backdoors/webshells deployed in previous attacks agains Ivanti devices, the DSLog backdoor uses a unique hash per appliance, which cannot be used to contact the same backdoor implemented in another device.


News URL

https://www.helpnetsecurity.com/2024/02/13/cve-2024-21893-backdoor/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2024-01-31 CVE-2024-21893 Server-Side Request Forgery (SSRF) vulnerability in Ivanti Connect Secure and Policy Secure
A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.
network
low complexity
ivanti CWE-918
8.2

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Ivanti 27 0 51 156 75 282