www.horizon3.ai Open in urlscan Pro
104.197.16.226 Public Scan

Back to summary

URL:
https://www.horizon3.ai/attack-research/cisa-kev-cve-2024-8190-ivanti-csa-command-injection
Submission: On December 05 via api (December 5th 2024, 11:31:06 am UTC) from IN — Scanned from CA

Form analysis
2 forms found in the DOM

GET https://www.horizon3.ai/

<form role="search" method="get" class="et_pb_menu__search-form" action="https://www.horizon3.ai/">
  <input type="search" class="et_pb_menu__search-input" placeholder="Search …" name="s" title="Search for:">
</form>

GET https://www.horizon3.ai/

<form role="search" method="get" class="et_pb_menu__search-form" action="https://www.horizon3.ai/">
  <input type="search" class="et_pb_menu__search-input" placeholder="Search …" name="s" title="Search for:">
</form>

Text Content

We use cookies on our website to give you the most relevant experience by
remembering your preferences and repeat visits. By clicking “Accept All”, you
consent to the use of ALL the cookies. However, you may visit "Cookie Settings"
to provide a controlled consent.

Cookie Settings Accept All
Privacy Overview
This website uses cookies to improve your experience while you navigate through
the website. Out of these, the cookies that are categorized as necessary are
stored on your browser as they are essential for the working of basic
functionalities of the website. We also use third-party cookies that help us
analyze and understand how you use this website. These cookies will be stored in
your browser only with your consent. You also have the option to opt-out of
these cookies. But opting out of some of these cookies may affect your browsing
experience.

NecessaryAlways Active
Necessary cookies are absolutely essential for the website to function properly.
These cookies ensure basic functionalities and security features of the website,
anonymously.
* Cookie
cookielawinfo-checkbox-advertisement
* Duration
1 year
* Description
Set by the GDPR Cookie Consent plugin, this cookie is used to record the user
consent for the cookies in the "Advertisement" category .

* Cookie
__cfruid
* Duration
session
* Description
Cloudflare sets this cookie to identify trusted web traffic.

* Cookie
_GRECAPTCHA
* Duration
5 months 27 days
* Description
This cookie is set by the Google recaptcha service to identify bots to
protect the website against malicious spam attacks.

* Cookie
OptanonConsent
* Duration
1 year
* Description
OneTrust sets this cookie to store details about the site's cookie category
and check whether visitors have given or withdrawn consent from the use of
each category.

* Cookie
CookieLawInfoConsent
* Duration
1 year
* Description
Records the default button state of the corresponding category & the status
of CCPA. It works only in coordination with the primary cookie.

* Cookie
viewed_cookie_policy
* Duration
11 months
* Description
The cookie is set by the GDPR Cookie Consent plugin and is used to store
whether or not user has consented to the use of cookies. It does not store
any personal data.

* Cookie
cookielawinfo-checkbox-necessary
* Duration
11 months
* Description
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to
store the user consent for the cookies in the category "Necessary".

* Cookie
cookielawinfo-checkbox-functional
* Duration
11 months
* Description
The cookie is set by GDPR cookie consent to record the user consent for the
cookies in the category "Functional".

* Cookie
cookielawinfo-checkbox-performance
* Duration
11 months
* Description
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store
the user consent for the cookies in the category "Performance".

* Cookie
cookielawinfo-checkbox-analytics
* Duration
11 months
* Description
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store
the user consent for the cookies in the category "Analytics".

* Cookie
cookielawinfo-checkbox-others
* Duration
11 months
* Description
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store
the user consent for the cookies in the category "Other.

* Cookie
__cf_bm
* Duration
1 hour
* Description
This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.

* Cookie
_cfuvid
* Duration
session
* Description
Calendly sets this cookie to track users across sessions to optimize user
experience by maintaining session consistency and providing personalized
services

* Cookie
cookieyes-consent
* Duration
1 year
* Description
CookieYes sets this cookie to remember users' consent preferences so that
their preferences are respected on subsequent visits to this site. It does
not collect or store any personal information about the site visitors.

Functional

Functional cookies help to perform certain functionalities like sharing the
content of the website on social media platforms, collect feedbacks, and other
third-party features.
* Cookie
bscookie
* Duration
2 years
* Description
LinkedIn sets this cookie to store performed actions on the website.

* Cookie
UserMatchHistory
* Duration
1 month
* Description
LinkedIn sets this cookie for LinkedIn Ads ID syncing.

* Cookie
lang
* Duration
session
* Description
LinkedIn sets this cookie to remember a user's language setting.

* Cookie
bcookie
* Duration
1 year
* Description
LinkedIn sets this cookie from LinkedIn share buttons and ad tags to
recognize browser ID.

* Cookie
lidc
* Duration
1 day
* Description
LinkedIn sets the lidc cookie to facilitate data center selection.

* Cookie
AnalyticsSyncHistory
* Duration
1 month
* Description
LinkedIn - Used to store information about the time a sync took place with
the lms_analytics cookie

* Cookie
li_gc
* Duration
6 months
* Description
LInkedIn Used to store consent of guests regarding the use of cookies for
non-essential purposes

* Cookie
yt-remote-device-id
* Duration
Never Expires
* Description
YouTube sets this cookie to store the user's video preferences using embedded
YouTube videos.

* Cookie
ytidb::LAST_RESULT_ENTRY_KEY
* Duration
Never Expires
* Description
The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last
search result entry that was clicked by the user. This information is used to
improve the user experience by providing more relevant search results in the
future.

* Cookie
yt-remote-connected-devices
* Duration
Never Expires
* Description
YouTube sets this cookie to store the user's video preferences using embedded
YouTube videos.

* Cookie
yt-remote-session-app
* Duration
session
* Description
The yt-remote-session-app cookie is used by YouTube to store user preferences
and information about the interface of the embedded YouTube video player.

* Cookie
yt-remote-cast-installed
* Duration
session
* Description
The yt-remote-cast-installed cookie is used to store the user's video player
preferences using embedded YouTube video.

* Cookie
yt-remote-session-name
* Duration
session
* Description
The yt-remote-session-name cookie is used by YouTube to store the user's
video player preferences using embedded YouTube video.

* Cookie
yt-remote-fast-check-period
* Duration
session
* Description
The yt-remote-fast-check-period cookie is used by YouTube to store the user's
video player preferences for embedded YouTube videos.

* Cookie
sp_t
* Duration
1 year
* Description
The sp_t cookie is set by Spotify to implement audio content from Spotify on
the website and also registers information on user interaction related to the
audio content.

* Cookie
sp_landing
* Duration
1 day
* Description
The sp_landing is set by Spotify to implement audio content from Spotify on
the website and also registers information on user interaction related to the
audio content.

Analytics

Analytical cookies are used to understand how visitors interact with the
website. These cookies help provide information on metrics the number of
visitors, bounce rate, traffic source, etc.
* Cookie
_ga_V462VSRXXS
* Duration
2 years
* Description
This cookie is installed by Google Analytics.

* Cookie
_ga
* Duration
1 year 1 month 4 days
* Description
The _ga cookie, installed by Google Analytics, calculates visitor, session
and campaign data and also keeps track of site usage for the site's analytics
report. The cookie stores information anonymously and assigns a randomly
generated number to recognize unique visitors.

* Cookie
pardot
* Duration
past
* Description
The pardot cookie is set while the visitor is logged in as a Pardot user. The
cookie indicates an active session and is not used for tracking.

* Cookie
CONSENT
* Duration
2 years
* Description
YouTube sets this cookie via embedded youtube-videos and registers anonymous
statistical data.

* Cookie
6suuid
* Duration
2 years
* Description
6sense is a B2B predictive intelligence engine for marketing and sales.

* Cookie
visitorId
* Duration
1 year
* Description
Salesforce

* Cookie
_gcl_au
* Duration
3 months
* Description
Google Tag Manager sets the cookie to experiment advertisement efficiency of
websites using their services.

* Cookie
_ga_*
* Duration
1 year 1 month 4 days
* Description
Google Analytics sets this cookie to store and count page views.

* Cookie
ajs_user_id
* Duration
1 year
* Description
This cookie is set by Segment to help track visitor usage, events, target
marketing, and also measure application performance and stability.

* Cookie
ajs_group_id
* Duration
1 year
* Description
This cookie is set by Segment to track visitor usage and events within the
website.

* Cookie
ajs_anonymous_id
* Duration
1 year
* Description
This cookie is set by Segment to count the number of people who visit a
certain site by tracking if they have visited before.

* Cookie
_hjSessionUser_*
* Duration
1 year
* Description
Hotjar sets this cookie to ensure data from subsequent visits to the same
site is attributed to the same user ID, which persists in the Hotjar User ID,
which is unique to that site.

* Cookie
_hjSession_*
* Duration
1 hour
* Description
Hotjar sets this cookie to ensure data from subsequent visits to the same
site is attributed to the same user ID, which persists in the Hotjar User ID,
which is unique to that site.

* Cookie
demdex
* Duration
6 months
* Description
The demdex cookie, set under the domain demdex.net, is used by Adobe Audience
Manager to help identify a unique visitor across domains.

* Cookie
u
* Duration
1 year
* Description
This cookie is used by Bombora to collect information that is used either in
aggregate form, to help understand how websites are being used or how
effective marketing campaigns are, or to help customize the websites for
visitors.

* Cookie
_hjTLDTest
* Duration
session
* Description
To determine the most generic cookie path that has to be used instead of the
page hostname, Hotjar sets the _hjTLDTest cookie to store different URL
substring alternatives until it fails.

* Cookie
_gh_sess
* Duration
session
* Description
GitHub sets this cookie for temporary application and framework state between
pages like what step the user is on in a multiple step form.

Performance

Performance cookies are used to understand and analyze the key performance
indexes of the website which helps in delivering a better user experience for
the visitors.
* Cookie
_calendly_session
* Duration
21 days
* Description
Calendly, a Meeting Schedulers, sets this cookie to allow the meeting
scheduler to function within the website and to add events into the visitor’s
calendar.

* Cookie
loglevel
* Duration
Never Expires
* Description
Squarespace sets this cookie to maintain settings and outputs when using the
Developer Tools Console on the current session.

Advertisement cookies are used to provide visitors with relevant ads and
marketing campaigns. These cookies track visitors across websites and collect
information to provide customized ads.
* Cookie
yt.innertube::requests
* Duration
Never Expires
* Description
This cookie, set by YouTube, registers a unique ID to store data on what
videos from YouTube the user has seen.

* Cookie
YSC
* Duration
session
* Description
YSC cookie is set by Youtube and is used to track the views of embedded
videos on Youtube pages.

* Cookie
VISITOR_INFO1_LIVE
* Duration
6 months
* Description
A cookie set by YouTube to measure bandwidth that determines whether the user
gets the new or old player interface.

* Cookie
yt.innertube::nextId
* Duration
Never Expires
* Description
This cookie, set by YouTube, registers a unique ID to store data on what
videos from YouTube the user has seen.

* Cookie
_rdt_uuid
* Duration
3 months
* Description
Reddit sets this cookie to build a profile of your interests and show you
relevant ads.

* Cookie
visitor_id*
* Duration
1 year 1 month 4 days
* Description
Pardot sets this cookie to store a unique user ID.

* Cookie
visitor_id*-hash
* Duration
1 year 1 month 4 days
* Description
Pardot sets this cookie to store a unique user ID.

* Cookie
VISITOR_PRIVACY_METADATA
* Duration
6 months
* Description
YouTube sets this cookie to store the user's cookie consent state for the
current domain.

* Cookie
ssi
* Duration
1 year
* Description
This cookie is set by SiteScout and stores a unique ID that identifies a
returning user’s device. The ID is used for targeted ads.

* Cookie
dpm
* Duration
6 months
* Description
The dpm cookie, set under the Demdex domain, assigns a unique ID to each
visiting user, hence allowing third-party advertisers to target these users
with relevant ads.

* Cookie
ab
* Duration
1 year
* Description
Owned by agkn, this cookie is used for targeting and advertising purposes.

* Cookie
test_cookie
* Duration
15 minutes
* Description
doubleclick.net sets this cookie to determine if the user's browser supports
cookies.

* Cookie
IDE
* Duration
1 year 24 days 1 minute
* Description
Google DoubleClick IDE cookies store information about how the user uses the
website to present them with relevant ads according to the user profile.

Others

Other uncategorized cookies are those that are being analyzed and have not been
classified into a category as yet.
* Cookie
lpv971073
* Duration
1 hour
* Description
No description

* Cookie
_zitok
* Duration
1 year
* Description
Description is currently not available.

* Cookie
debug
* Duration
Never Expires
* Description
No description available.

* Cookie
__tld__
* Duration
session
* Description
Description is currently not available.

* Cookie
ajs%3Atest
* Duration
1 year
* Description
No description available.

* Cookie
ajs%3Acookies
* Duration
1 year
* Description
No description available.

* Cookie
_octo
* Duration
1 year
* Description
No description available.

* Cookie
logged_in
* Duration
1 year
* Description
No description available.

* Cookie
cf_clearance
* Duration
1 year
* Description
Description is currently not available.

Save My Preferences Accept All
Powered by
* Solutions
3 2


SECURITY STRATEGIES

* Effective Security
* Splunk Logging
* Purple Team Culture
* Vulnerable ≠ Exploitable



WHO USES NODEZERO?

* ITOps and SecOps
* Security Teams
* Pentesters

THE NODEZERO™ PLATFORM

* Internal Pentesting
* External Pentesting
* Kubernetes Pentesting
* Cloud Pentesting
* Rapid Response
* AD Password Audit
* Phishing Impact Testing
* NodeZero Tripwires
* Documentation



NODEZERO FOR COMPLIANCE

* PCI Compliance
* NIS 2 Compliance

Schedule a Demo
Start a Free Trial



USE CASES

* Education
* Healthcare
* Manufacturing
* Supply Chain
* Public Sector
* Large Organizations
* MSSPs and MSPs
* Partners
3 2


NODEZERO FOR MSSPS AND MSPS

Let Us Be Your Force Multiplier



NODEZERO FOR PARTNERS

Disruptive Technology That Will Help Drive Revenue



PARTNER PORTAL

Become a Partner
* Resources
3 2

INDUSTRY INSIGHTS

ATTACK RESEARCH



RESOURCE CENTER

* Blogs
* Glossary
* 2023 Year in Review



CUSTOMER STORIES

CENTURY-LONG INNOVATION: A LEGACY OF OUTPACING CYBER THREATS

Sep 19, 2024

Discover how Komori, a century-old printing giant, is leading the charge in
cybersecurity innovation by adapting to internet-connected risks and
utilizing advanced solutions like NodeZero to safeguard their legacy.

FUTURE-PROOFING CITIES: LYT’S STORY

Jul 19, 2024

As cities expand with smart technologies to enhance infrastructure, robust
cybersecurity is crucial. Discover how continuous assessments with NodeZero
keep urban operations safe and efficient.



INDUSTRY INSIGHTS

WHY YOU NEED NODEZERO™ KUBERNETES PENTESTING TO SECURE YOUR CONTAINERS

Nov 15, 2024

Secure your Kubernetes clusters with NodeZero’s autonomous pentesting –
proactive, continuous testing to identify vulnerabilities before attackers
do.

MAXIMIZING OFFENSIVE SECURITY: ADDRESSING SHORTCOMING AND IMPROVING
EFFECTIVENESS

Nov 14, 2024

Explore offensive security gaps and solutions with Horizon3.ai’s Phillip
Wylie. Learn strategies to enhance vulnerability assessments and security
impact.

REVOLUTIONIZE YOUR SECURITY WITH AUTONOMOUS PENTESTING—JOIN HORIZON3.AI &
FORESITE CYBERSECURITY

Oct 31, 2024

Listen to Horizon3.ai’s Phil Wylie and Foresite experts to explore the
financial and security benefits of autonomous pentesting and continuous
validation.



ATTACK CONTENT

* Credential Attacks
* Log4Shell
* Ransomware

ATTACK PATHS

Routes and methods NodeZero used to gain unauthorized access to networks

ON-PREM MISCONFIGURATIONS LEAD TO ENTRA TENANT COMPROMISE

As enterprises continue to transition on-premises infrastructure and
information systems to the cloud, hybrid cloud systems have emerged as a
vital solution, balancing the benefits of both environments to optimize
performance, scalability, and ease of change on users...

ATTACK BLOGS

PALO ALTO EXPEDITION: FROM N-DAY TO FULL COMPROMISE

Oct 9, 2024

On July 10, 2024, Palo Alto released a security advisory for CVE-2024-5910, a
vulnerability which allowed attackers to remotely reset the Expedition
application admin credentials. While we had never heard of Expedition
application before, it's advertised as: The...

CVE-2024-28987: SOLARWINDS WEB HELP DESK HARDCODED CREDENTIAL VULNERABILITY
DEEP-DIVE

Sep 25, 2024

On August 13, 2024, SolarWinds released a security advisory for Web Help Desk
(WHD) that detailed a deserialization remote code execution vulnerability.
This vulnerability, CVE-2024-28986, was added to CISA's Known Exploited
Vulnerability (KEV) catalog two days later...



DISCLOSURES

PALO ALTO EXPEDITION: FROM N-DAY TO FULL COMPROMISE

OUR VISION

The future of cyber warfare will run at machine speed



MEET THE TEAM

Team of Motivated “Learn-it-alls”



JOIN THE TEAM

We’re a remote-first company with teammates clustered around the globe





PRESS RELEASES

HORIZON3.AI LAUNCHES NODEZERO™ KUBERNETES PENTESTING, EMPOWERING
ORGANIZATIONS TO PROTECT CRITICAL INFRASTRUCTURE

Nov 12, 2024

Business Wire 11/12/2024 Horizon3.ai, a global leader in autonomous security
solutions, proudly announces the release of NodeZero™ Kubernetes Pentesting,
a powerful new capability available to all NodeZero users. Designed to deploy
directly within Kubernetes clusters,...

HORIZON3.AI NAMED TO THE 2025 FORTUNE CYBER 60 FOR THE SECOND CONSECUTIVE
YEAR

Oct 30, 2024

Business Wire 10/30/2024 Horizon3.ai, a leader in autonomous security
solutions, is honored to announce its second consecutive inclusion in the
Fortune Cyber 60, presented by Lightspeed. This recognition underscores the
company's continued innovation and influence in...

KEITH POYSER APPOINTED AS VICE PRESIDENT FOR EMEA AT HORIZON3.AI

Sep 25, 2024

Business Wire 09/25/2024 Horizon3.ai, a global leader in autonomous security
solutions, today announced the appointment of Keith Poyser as Vice President
for EMEA. Poyser brings more than 25 years of experience in driving sales
growth, strategy, and business...



AWARDS

THE CHANNEL CO. STELLAR STARTUPS 2024

PUBLISHER’S CHOICE AUTONOMOUS PENTESTING

2025 FORTUNE CYBER 60



EVENTS

Join us at these upcoming cybersecurity events and workshops



WEBINAR REPLAYS

Unlock expert insights in our cybersecurity webinar series

06
December

SCOTTSDALE CYBERSECURITY SUMMIT

7:30 amThe Phoenician
12
December

UNCOVER KUBERNETES SECURITY WEAKNESSES WITH NODEZERO™

1:00 pmZoom Webinar
* Log In

* See a Demo

* Free Trial

a
M
* Solutions
3 2


SECURITY STRATEGIES

* Effective Security
* Splunk Logging
* Purple Team Culture
* Vulnerable ≠ Exploitable



WHO USES NODEZERO?

* ITOps and SecOps
* Security Teams
* Pentesters

THE NODEZERO™ PLATFORM

* Internal Pentesting
* External Pentesting
* Kubernetes Pentesting
* Cloud Pentesting
* Rapid Response
* AD Password Audit
* Phishing Impact Testing
* NodeZero Tripwires
* Documentation



NODEZERO FOR COMPLIANCE

* PCI Compliance
* NIS 2 Compliance

Schedule a Demo
Start a Free Trial



USE CASES

* Education
* Healthcare
* Manufacturing
* Supply Chain
* Public Sector
* Large Organizations
* MSSPs and MSPs
* Partners
3 2


NODEZERO FOR MSSPS AND MSPS

Let Us Be Your Force Multiplier



NODEZERO FOR PARTNERS

Disruptive Technology That Will Help Drive Revenue



PARTNER PORTAL

Become a Partner
* Resources
3 2

INDUSTRY INSIGHTS

ATTACK RESEARCH



RESOURCE CENTER

* Blogs
* Glossary
* 2023 Year in Review



CUSTOMER STORIES

CENTURY-LONG INNOVATION: A LEGACY OF OUTPACING CYBER THREATS

Sep 19, 2024

FUTURE-PROOFING CITIES: LYT’S STORY

Jul 19, 2024

As cities expand with smart technologies to enhance infrastructure, robust
cybersecurity is crucial. Discover how continuous assessments with NodeZero
keep urban operations safe and efficient.



INDUSTRY INSIGHTS

WHY YOU NEED NODEZERO™ KUBERNETES PENTESTING TO SECURE YOUR CONTAINERS

Nov 15, 2024

Secure your Kubernetes clusters with NodeZero’s autonomous pentesting –
proactive, continuous testing to identify vulnerabilities before attackers
do.

MAXIMIZING OFFENSIVE SECURITY: ADDRESSING SHORTCOMING AND IMPROVING
EFFECTIVENESS

Nov 14, 2024

Explore offensive security gaps and solutions with Horizon3.ai’s Phillip
Wylie. Learn strategies to enhance vulnerability assessments and security
impact.

REVOLUTIONIZE YOUR SECURITY WITH AUTONOMOUS PENTESTING—JOIN HORIZON3.AI &
FORESITE CYBERSECURITY

Oct 31, 2024

Listen to Horizon3.ai’s Phil Wylie and Foresite experts to explore the
financial and security benefits of autonomous pentesting and continuous
validation.



ATTACK CONTENT

* Credential Attacks
* Log4Shell
* Ransomware

ATTACK PATHS

Routes and methods NodeZero used to gain unauthorized access to networks

ON-PREM MISCONFIGURATIONS LEAD TO ENTRA TENANT COMPROMISE

ATTACK BLOGS

PALO ALTO EXPEDITION: FROM N-DAY TO FULL COMPROMISE

Oct 9, 2024

CVE-2024-28987: SOLARWINDS WEB HELP DESK HARDCODED CREDENTIAL VULNERABILITY
DEEP-DIVE

Sep 25, 2024



DISCLOSURES

PALO ALTO EXPEDITION: FROM N-DAY TO FULL COMPROMISE

OUR VISION

The future of cyber warfare will run at machine speed



MEET THE TEAM

Team of Motivated “Learn-it-alls”



JOIN THE TEAM

We’re a remote-first company with teammates clustered around the globe





PRESS RELEASES

HORIZON3.AI LAUNCHES NODEZERO™ KUBERNETES PENTESTING, EMPOWERING
ORGANIZATIONS TO PROTECT CRITICAL INFRASTRUCTURE

Nov 12, 2024

HORIZON3.AI NAMED TO THE 2025 FORTUNE CYBER 60 FOR THE SECOND CONSECUTIVE
YEAR

Oct 30, 2024

KEITH POYSER APPOINTED AS VICE PRESIDENT FOR EMEA AT HORIZON3.AI

Sep 25, 2024



AWARDS

THE CHANNEL CO. STELLAR STARTUPS 2024

PUBLISHER’S CHOICE AUTONOMOUS PENTESTING

2025 FORTUNE CYBER 60



EVENTS

Join us at these upcoming cybersecurity events and workshops



WEBINAR REPLAYS

Unlock expert insights in our cybersecurity webinar series

06
December

SCOTTSDALE CYBERSECURITY SUMMIT

7:30 amThe Phoenician
12
December

UNCOVER KUBERNETES SECURITY WEAKNESSES WITH NODEZERO™

1:00 pmZoom Webinar
* Log In

* See a Demo

* Free Trial

CVE-2024-8190: INVESTIGATING CISA KEV IVANTI CLOUD SERVICE APPLIANCE COMMAND
INJECTION VULNERABILITY

by Zach Hanley | Sep 16, 2024 | Attack Blogs, Attack Research

On September 10, 2024, Ivanti released a security advisory for a command
injection vulnerability for it’s Cloud Service Appliance (CSA) product.
Initially, this CVE-2024-8190 seemed uninteresting to us given that Ivanti
stated that it was an authenticated vulnerability. Shortly after on September
13, 2024, the vulnerability was added to CISA’s Known Exploited Vulnerabilities
(KEV). Given it was now exploited in the wild we decided to take a look.

The advisory reads:

> Ivanti has released a security update for Ivanti CSA 4.6 which addresses a
> high severity vulnerability. Successful exploitation could lead to
> unauthorized access to the device running the CSA. Dual-homed CSA
> configurations with ETH-0 as an internal network, as recommended by Ivanti,
> are at a significantly reduced risk of exploitation.
>
> An OS command injection vulnerability in Ivanti Cloud Services Appliance
> versions 4.6 Patch 518 and before allows a remote authenticated attacker to
> obtain remote code execution. The attacker must have admin level privileges to
> exploit this vulnerability.

The description definitely sounds like it may have the opportunity for
accidental exposure given the details around misconfigurations of the external
versus internal interfaces.

CRACKING IT OPEN

Inspecting the patches, we find that the Cloud Service Appliance has a PHP
frontend and the patch simply copies in newer PHP files.

Figure 1. Patch introduces more updated php files

Inspecting the 4 new PHP files, we land on DateTimeTab.php which has more
interesting changes related to validation of the zone variable right before a
call to exec().

Figure 2. Validating the zone variable

Now that we have a function of interest we trace execution to it. We find that
handleDateTimeSubmit() calls our vulnerable function on line 153.

Figure 3. handleDateTimeSubmit parses HTTP requests

We see that the function takes the request argument TIMEZONE and passes it
directly to the vulnerable function, which previously had no input validation
before calling exec with our input formatted to a string.

DEVELOPING THE EXPLOIT

We find that the PHP endpoint /datetime.php maps to the handleDateTimeSubmit()
function, and is accessible only from the “internal” interface with
authentication.

Putting together the pieces, we’re able to achieve command injection by
supplying the application username and password. Our proof of concept can be
found here.

Figure 4. Authenticated Command Injection

N-DAY RESEARCH – ALSO KNOWN AS CVSS QUALITY ASSURANCE

It seems that Ivanti is correct in marking that this is an authenticated
vulnerability. But lets take a look at their configuration guidance to
understand what may have went wrong for some of their clients being exploited in
the wild.

Ivanti’s guidance about ensuring that eth0 is configured as the internal network
interface tracks with what we’ve found. When attempting to reach the
administrative portal from eth1, we find that we receive a 403 Forbidden instead
of a 401 Unauthorized.

Figure 5. 403 from the external interface

Users that accidentally swap the interfaces, or simply only have one interface
configured, would expose the console to the internet.

If exposed to the internet, we found that there was no form of rate limiting in
attempting username and password combinations. While the appliance does ship
with a default credential of admin:admin, this credential is force updated to
stronger user-supplied password upon first login.

Figure 6. Password policy

We theorize that most likely users who have been exploited have never logged in
to the appliance, or due to lack of rate limiting may have had poor password
hygiene and had weaker passwords.

INDICATORS OF COMPROMISE

We found sparse logs, but in /var/log/messages we found that an incorrect login
looked like the following messages – specifically key in on “User admin does not
authenticate”.

Figure 7. Failed logon

When authentication is successful it looked like – where a successful request
has a 200 successful after it.

Figure 8. Successful login

HOW CAN NODEZERO HELP YOU?

Let our experts walk you through a demonstration of NodeZero, so you can see how
to put it to work for your company.

Schedule a Demo

info@horizon3.ai
press@horizon3.ai
650-445-4457

SUBSCRIBE TO COMMUNITY UPDATES

www.horizon3.ai Open in urlscan Pro 104.197.16.226 Public Scan

Form analysis 2 forms found in the DOM

GET https://www.horizon3.ai/

GET https://www.horizon3.ai/

Text Content

www.horizon3.ai Open in urlscan Pro
104.197.16.226 Public Scan

Form analysis
2 forms found in the DOM