DSLog: The Ivanti Software Vulnerability Unearthed

In the continually shifting landscape of cybersecurity, a startling revelation has surfaced: a vulnerability in Ivanti software, exploited by threat actors, is now casting a long shadow over more than 670 IT infrastructures. Dubbed ‘DSLog’, the backdoor is no minor threat—it’s a craftsman’s piece designed to evade detection and a stark reminder of the cyber risks lurking in the digital era.

The exploit, traced back to a server-side request forgery (SSRF) flaw in the SAML module – specifically CVE-2024-21893 – began its onslaught just after the release of a proof-of-concept code. Moreover, Ivanti has acknowledged that certain targeted attacks had ridden the wave of this vulnerabilities’ discovery. As fear mounts, the Shadowserver Foundation flags an uptick in exploitation attempts from a staggering tally of over 170 IP addresses.

In the wake of these findings, research from Orange Cyberdefense unveils attempts of exploitation dating back to as early as February 3. In a maneuver characteristic of their stealth, threat actors have adeptly modified a Perl file, consequently injecting the DSLog backdoor. The insertion is discrete yet powerful. Each affected appliance brandishes a unique hash, which, when matched with the User-Agent header in an HTTP request, carves a path for commands to be harvested and executed.

Sowing further unease, these adversaries have been detected wiping ‘.access’ logs across an array of appliances. A sophisticated tactic to erase their digital footprints, indeed. Yet, Orange Cyberdefense has remained vigilant, identifying 524 compromised assets as early as February 7. They stand now, urging customers to initiate a factory reset on appliances before applying patches—as it’s the sole way to purge the persistence of latent threats.

Those looking for guidance in these troubling times can seek the expertise of Orange Cyberdefense, whose thorough investigation into the Ivanti Connect Secure journey to the core of the DSLog backdoor offers imperative insights and assistance to those in the crosshairs of this security breach.

Assetnote, a beacon of proactive defense in security research, didn’t rest on its laurels either. Following an advisory by Ivanti describing two new vulnerabilities—CVE-2024-21888 and CVE-2024-21893—Assetnote leaped into action. They reverse-engineered the latest authentication bypass, a feat leading them straight into the heart of the SAML component. By manipulating the SAML payloads, they achieved server-side command injection, a vector that ended in the unwelcome installation of the DSLog backdoor.

What transpired highlights a grim reality: the soft underbelly of our interconnected systems lay exposed to those with nefarious intent. Assetnote keeps its ear to the ground, vigilant for zero-day vulnerabilities, their meticulous research salvaging countless digital ecosystems from potential ruin.

Under the weight of these ominous clouds, the silver lining remains—if tenuous. Organizations using Ivanti software are implored to heed the call: apply patches, reset, and armor up in the constant battle against cyber threats. The steps are clear, the danger real, and the fallout of inaction potentially catastrophic. Timely patching, bolstered with regular updates, emerges not just as a recommendation, but as a necessary bulwark in safeguarding our digital sovereignty in this unrelenting era of cyber conflict.