add CVE-2023-46805 and CVE-2024-21887 Ivanti Mitigation not applied

[h4sh5]

Template / PR Information

• Ivanti CVE-2023-46805 and CVE-2024-21887 has no patches yet, but has mitigation files released. This template detects when they have not been applied

• References:

  • Ivanti article https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
  • Mitigation applied HTTP request and response information https://labs.watchtowr.com/welcome-to-2024-the-sslvpn-chaos-continues-ivanti-cve-2023-46805-cve-2024-21887/

Template Validation

I've validated this template locally?

• YES
• NO

Additional Details

shodan query: product:"Pulse Secure"

HTTP request and response when the mitigation isn applied:

curl -v <https://host/api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark>
...
< HTTP/1.1 403 Forbidden
< Transfer-Encoding: chunked
< X-XSS-Protection: 1
< Strict-Transport-Security: max-age=31536000
<

the response is empty with a 403 status

when the mitigation is applied:

curl -v <https://host/api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark>
...
< HTTP/1.1 403 Forbidden
< Content-Type: text/html; charset=utf-8
< Connection: close
< Pragma: no-cache
< Cache-Control: no-store
< Expires: -1
< Content-Length: 3015
< Strict-Transport-Security: max-age=31536000
<
<!-- Copyright (c) 2022 by Ivanti Inc. All rights reserved -->

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name=robots content="none">
<link rel="icon" href="/dana-na/imgs/Product_favicon.png" type="image/png">
<title>Ivanti&#32;Connect&#32;Secure</title>

..truncated..

<div id="error_message_content"  class="intermediate__content">
Access to the Web site is blocked by your administrator. Please notify your system administrator. Made  request for $request to $host:$port

</div>

..truncated..

</html>

[S0obi]

I was able to test this template on different Pulse Secure and Invanti instances and it seems to work well.

[1angly]

Hello
As body is equal to '0' i propose this modification.
I test the modification and work well, in my opinion it's more accurate.

matchers-condition: and
matchers:
  - type: dsl
    dsl:
      - "len(body)==0 && status_code==403" # Body length equal to 0 and 403 status code

  - type: word
    negative: true
    words:
      - 'Access to the Web site is blocked by your administrator'

[w2xim3]

This template must check mmh3 icon to remove false positive:
example: www.example.com/dana-na/imgs/Product_favicon.png , value of mmh3 is -1439222863

matchers:
  - type: dsl
    name: "favicon"
    dsl:
      - "status_code==200 && (\"-1439222863\" == mmh3(base64_py(body)))"

[princechaddha]

Reopened this PR as we will soon be adding a category for mitigation and patch-related templates. Thank you for your contribution

[S4lt5]

As this sits in the current version it produces a ton of false positives, any WAF/etc will cause it to return positive.

[princechaddha]

@h4sh5, closing this PR because the template will produce a lot of false positive results. The first matcher is a negative matcher, and the second status method will match all hosts with a 403 status code. We can possibly add an additional request to validate the product first using flow and then use the vulnerable endpoint for mitigation check.

Feel free to reopen this PR if you have a better method for patch detection.