Detecting Ivanti CVE-2023–46805 with OWASP Nettacker v0.3.3
In the world of cybersecurity, staying ahead of potential threats is crucial. One such significant threat is the latest Ivanti ICS CVE-2023–46805 vulnerability.
The Cybersecurity and Infrastructure Security Agency (CISA) has observed widespread and active exploitation of this vulnerability in Ivanti Connect Secure(ICS) and Ivanti Policy Secure(IPS) solutions, collectively referred to as the “affected products”. Successful exploitation of this vulnerability when chained with another CVE-2024–21887(authenticated command injection vulnerability) allows a malicious threat actor to move laterally within the network, perform data exfiltration, and establish persistent system access, leading to a full compromise of the targeted information systems.
Given the severity of these conditions, CISA has determined that they pose an unacceptable risk tothe US Federal Civilian Executive Branch (FCEB) agencies, necessitating immediate emergency action.
OWASP Nettacker is an open-source software written in Python, designed to automate information gathering, vulnerability scanning, and aid penetration testing engagements. It can run various scans on applications and networks using a variety of methods and generate scan reports.
In the release v0.3.3, OWASP Nettacker added a new module specifically for detecting the Ivanti ICS CVE-2023–46805 vulnerability (ivanti_ics_cve_2023_46805_vuln). This module can scan networks for this specific vulnerability, providing a targeted approach to identifying potential threats.
Here’s a simple step-by-step guide on how to use OWASP Nettacker for this purpose:
Install OWASP Nettacker: Follow the installation guide provided in the official documentation
Run a Vulnerability Scan: Use the command-line interface to run a vulnerability scan targeting the networks or systems running Ivanti Connect Secure and Policy Secure products.
Example:
python3 nettacker.py -i [target] -m ivanti_ics_cve_2023_46805_vuln — skip-service-discovery
[target] here can be a simple IP address, a CIDR block or a host name or a domain name. If you want to scan the subdomains of a domain specify the domain name in the -i command option and add a -s switch to scan the subdomains of the given domain, e.g: -i example.com -s
With Nettacker you can also scan multiple targets and networks — simply define the list of targets in a text file (one target on each line) and then use the -l switch to load that file e.g. -l target_list.txt
python3 nettacker.py -l target_list.txt -m ivanti_ics_cve_2023_46805_vuln — skip-service-discovery
Analyze the Report: OWASP Nettacker generates scan reports in various formats including HTML, TXT, JSON, and CSV. Analyse the report to identify any detected instances of Ivanti CVE-2023–46805:
Using Last Patched Date Module
OWASP Nettacker v0.3.3 release also included modules that assist in finding unpatched Ivanti ICS and EPMM devices by checking the Last-Modified date on specific files. This can be particularly useful in identifying Ivant ICS and EPMM devices that may be vulnerable to the CVE-2023–46805 and CVE-2023–35082. The modules are:
- ivanti_ics_lastpatcheddate_scan
- ivanti_epmm_lastpatcheddate_scan
Here is an example of how useful these modules can be when analysing a group of scanned Ivanti devices with Nettacker — some of them have not been patched since 2023 or even 2022:
Patching the Ivanti devices
Follow the Ivanti instructions in the Recovery-Steps-Related-to-CVE-2023–46805-and-CVE-2024–21887 article.
Conclusion
Staying vigilant and proactive in detecting vulnerabilities is key in maintaining a secure network environment. Tools like OWASP Nettacker and resources like the CISA KEV catalog (“Known Exploited Vulnerabilities”) can greatly aid in this process by automating the vulnerability scanning process and providing valuable insights into known exploited vulnerabilities. Always remember, the first step in mitigating a threat is detecting it.
Disclaimer
OWASP Nettacker, as an open-source project, promotes responsible and ethical use of its tools and modules. Security professionals utilising Nettacker should always ensure they have proper authorisation and follow applicable laws, regulations, and ethical guidelines when performing any form of security scanning/testing.
Follow me on Twitter: https://twitter.com/securestep9
