CVE-2024-22024
📋 TL;DR
This XXE vulnerability in Ivanti's SAML implementation allows attackers to access restricted resources without authentication by processing malicious XML entities. It affects Ivanti Connect Secure, Ivanti Policy Secure, and ZTA gateways. Attackers can potentially read files from the server or perform server-side request forgery.
💻 Affected Systems
- Ivanti Connect Secure
- Ivanti Policy Secure
- ZTA gateways
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via file disclosure leading to credential theft, lateral movement, and data exfiltration
Likely Case
Unauthenticated access to sensitive files, configuration data, or internal network resources
If Mitigated
Limited impact if XML parsing is disabled or properly configured with entity restrictions
🎯 Exploit Status
XXE vulnerabilities are well-understood with many existing tools; unauthenticated nature makes exploitation straightforward
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Ivanti security advisory for specific patched versions
Vendor Advisory: https://forums.ivanti.com/s/article/CVE-2024-22024-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US
Restart Required: Yes
Instructions:
1. Download latest patch from Ivanti support portal 2. Backup configuration 3. Apply patch following vendor instructions 4. Restart services 5. Verify SAML functionality
🔧 Temporary Workarounds
Disable XML external entity processing
allConfigure XML parser to disallow external entity resolution
Configuration varies by platform - consult Ivanti documentation for XML parser hardening
Network segmentation
allRestrict access to SAML endpoints from untrusted networks
firewall rules to limit SAML endpoint access to trusted identity providers only
🧯 If You Can't Patch
- Implement WAF rules to block XXE patterns in XML requests
- Monitor for unusual XML payloads and file access attempts
🔍 How to Verify
Check if Vulnerable:
Check if system is running affected versions and has SAML enabledCheck Version:
Check Ivanti admin interface or use vendor-specific CLI commandsVerify Fix Applied:
Verify patch version is installed and test XXE payloads are rejected📡 Detection & Monitoring
Log Indicators:
- Unusual XML parsing errors
- File access attempts via XML entities
- SAML authentication failures with malformed XML
Network Indicators:
- XML payloads with DOCTYPE declarations
- External entity references in SAML requests
- Unusual outbound connections from gateway
SIEM Query:
source="ivanti_gateway" AND (message="*DOCTYPE*" OR message="*ENTITY*" OR message="*XXE*")