And here we have it.
CVE-2025-0282 and CVE-2025-0283
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283
CVE-2025-0282 (CVSS 9.0 stack buffer overflow) is being exploited in the wild.
=> More informations about this toot | More toots from wdormann@infosec.exchange
Without even knowing the details of the exploit, can we make some guesses about the feasibility of such attacks?
The vulnerability is a stack buffer overflow. What are the chances of being able to successfully exploit such bugs without needing to chain with a second bug? You know, since ASLR has been around on the Linux platform for about 20 years now.
Let's look at just the binaries in /home/bin on a recent Ivanti ICS device.
11 out of 241 executables have PIE enabled, and therefore are randomized with ASLR.
A job done, folks.
=> More informations about this toot | More toots from wdormann@infosec.exchange
As we're pondering software excellence, let's look at how you can tell if your device is compromised.
You ask it, and hope it doesn't lie to you.
Sure, you "can" identify a bank robber by asking them if they robbed a bank. And if they're really bad at what they do, they might say yes.
The Ivanti ICT is the same concept. You ask your maybe-compromised device to pretty please run a scanner, and then tell you the results. This is the official company-sanctioned (and only official) way of checking the integrity of your ICS product.
=> View attached media | View attached media | View attached media
=> More informations about this toot | More toots from wdormann@infosec.exchange
More info from Mandiant:
https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day
I'll say that Ivanti customers are lucky that the attackers aren't trying very hard here. Mandiant admits that the attackers are already attempting (poorly) to bypass the ICT. But they did such a bad job that their faked ICT results had only 3 steps instead of 10.
It's trivial to modify an ICS so that the ICT fakes the 10 steps of the ICT, without including the rickroll step of 11.
It's only safe to assume here that only the the B Team of Ivanti attackers were detected anywhere. And that anybody with a touch more skills are still in your boxes if you're only relying on the ICT as Ivanti recommends running it for detection of badness. But I suppose that's the case with just about anything... you only notice the folks that are bad enough to get caught. 🤦♂️
=> View attached media | View attached media
=> More informations about this toot | More toots from wdormann@infosec.exchange
@wdormann Can we give the attackers credit here for writing Perl that looks obfuscated but probably isn't?
=> More informations about this toot | More toots from jsmall@infosec.exchange
text/geminiThis content has been proxied by September (ba2dc).