Status of Korean Servers Exposed to Ivanti Connect Secure Vulnerabilities (Multiple CVEs)
Multiple vulnerabilities have been disclosed for the Ivanti Connect Secure product, including several with a CVSS score of 9 or higher (CRITICAL). The majority of Ivanti Connect Secure servers operating in Korea have been identified as vulnerable versions.
Figure 1. Default connection screen of Ivanti Connect Secure
Ivanti Connect Secure is a VPN solution from the US-based company Ivanti, designed to allow access to the internal networks of companies and other organizations. It is also quite well-known in Korea and has been found to be used by many companies. On November 11, Ivanti posted a security advisory regarding multiple vulnerabilities in the Ivanti Connect Secure product, and AhnLab also posted the advisory through the ATIP and ASEC Blog.
- Ivanti Security Advisory – https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs
- [ASEC Blog] Ivanti Product Security Update Advisory – https://asec.ahnlab.com/en/84428/
- [ATIP] Ivanti Product Security Update Advisory – https://atip.ahnlab.com/security-advisory/view?id=1bb8dec1-16e6-4412-9b5c-a81f182166b9
Vulnerabilities are present in all versions below the latest version, and there are also numerous high-risk vulnerabilities that allow remote code execution.
|
CVSS Score |
CVE |
Remarks |
|
|---|---|---|---|
|
9 CRITICAL |
9.1 |
CVE-2024-38656 | Remote Code Execution |
|
9.1 |
CVE-2024-39710 | Remote Code Execution | |
|
9.1 |
CVE-2024-39711 | Remote Code Execution | |
|
9.1 |
CVE-2024-39712 | Remote Code Execution | |
|
9.1 |
CVE-2024-11005 | Remote Code Execution | |
|
9.1 |
CVE-2024-11006 | Remote Code Execution | |
|
9.1 |
CVE-2024-11007 | Remote Code Execution | |
|
9.1 |
CVE-2024-38655 | Remote Code Execution | |
|
8 HIGH |
8.8 |
CVE-2024-9420 | Remote Code Execution |
|
8.4 |
CVE-2024-11004 | Reflected XSS | |
|
7 HIGH |
7.8 |
CVE-2024-39709 | Privilege Escalation |
|
7.8 |
CVE-2024-47906 | Privilege Escalation | |
|
7.5 |
CVE-2024-8495 | DOS | |
|
7.5 |
CVE-2024-38649 | DOS | |
Table 1. List of vulnerabilities
According to the findings from ASEC through the ASM service, operation records of Ivanti Connect Secure were found on 1,111 domestic servers, and detailed version information could be obtained for 743 of these servers (as of November 19, 2024).
Out of the 743 servers for which version information could be obtained, 69 servers were operating with the latest version. Excluding these 69 servers, 674 servers (90.7%) were operating with vulnerable versions, and most of the vulnerable servers are identified as belonging to companies and organizations, so caution is needed.
Figure 2. Proportion of servers with vulnerabilities
Unlike previous vulnerability postings, the number identified is not particularly high, but this product is primarily used by large organizations such as companies and institutions. Due to the nature of VPN servers, where many members frequently connect and are linked to internal networks, remaining in a vulnerable state could lead to significant damage.
| IP | Port | Version | RDNS |
| 61.78.*.10 | 443 | 7.4.0.30667 | **work.**.co.kr |
| 27.122.*.112 | 443 | 22.6.2.2719 | vpn.*******.co.kr |
| 222.236.*.64 | 443 | 22.7.2.3191 | sec.*****.or.kr |
| 221.149.*.147 | 443 | 8.0.6.32195 | vpn.*******.com |
| 218.38.*.90 | 443 | 8.3.7.65025 | vpn.***.go.kr |
| 211.56.*.237 | 443 | 22.5.2.2229 | ***.*****corp.com |
| 211.233.*.242 | 443 | 6.5.0.14951 | ***.*******.kr |
| 211.233.*.178 | 443 | 9.1.18.25187 | *******.***.co.kr |
| 210.218.*.30 | 443 | 9.1.18.25187 | vpn.****.re.kr |
| 210.116.*.202 | 443 | 9.1.18.25055 | vnet.********.com |
| 210.103.*.30 | 443 | 7.3.0.24657 | ssl.*****.or.kr |
| 203.234.*.200 | 443 | 22.7.2.2615 | *vpn2.****.co.kr |
| 124.243.*.188 | 443 | 9.1.18.25505 | *****vpn.********.com |
| 119.199.*.12 | 443 | 9.1.18.25055 | vpn.********.com |
| 114.108.*.91 | 443 | 8.3.7.65025 | vpn.********.com |
| 1.215.*.230 | 443 | 9.1.18.25609 | *****vpn.******.com |
Table 2. Examples of identified vulnerable servers
The version information used in the table above is in the format of [version+build number]. By referring to the release notes on the official website, you can check the version information in the format of [version+release number] listed in the security advisory.
Example: 9.1.18.25055 → 9.1R18.4
Figure 5. Release notes from Ivanti
The Ivanti Connect Secure product is widely used around the world and has a history[1] of multiple real vulnerability attacks in the past, so it requires particular caution. AhnLab published the related content through ASEC Notes on ATIP.
- Warning Against Vulnerability Exploited in Actual Attacks (Feb. 13, 2024) – https://atip.ahnlab.com/intelligence/view?id=9c0c0822-3d5d-42ab-9284-4f6c90886c72
- Warning Against Vulnerability Exploited in Actual Attacks (Jan. 19, 2024) – https://atip.ahnlab.com/intelligence/view?id=15983f45-5310-4d06-9596-44d2ccf824c8
Ivanti Connect Secure is currently available in versions 9.x and 22.x, and was previously offered under the names Pulse Connect Secure (8.x) and Juniper Secure Access (7.x). A significant number of the identified Korean servers are still using outdated products well beyond their EOL, and in this case, they are operating while exposed to numerous serious vulnerabilities in addition to those mentioned in this posting.
Figure 3. Proportion of versions used by domestic servers
Referring to the security advisory in this post, servers using outdated versions are advised to update to the latest version immediately. Additionally, for version 9.x, EOL is scheduled for the end of this year, so an update to version 22.x is necessary.
- 9.1.18.25685(9.1R18.9)
- 22.7.2.3431(22.7R2.3)
ASEC publishes security advisories on major vulnerabilities through ASEC Blog, and if a company operating a vulnerable service is identified among AhnLab TIP service subscribers, a separate customized report is provided. This service ensures that the vulnerability information of our customers is not exposed externally and is delivered privately only to the respective customers to help them operate their services securely.
[1] CISA, (2024-01-19, 2024-02-13), Known Exploited Vulnerabilities Catalog – https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
