CVE-2024-22052
📋 TL;DR
A null pointer dereference vulnerability in the IPSec component of Ivanti Connect Secure and Policy Secure gateways allows unauthenticated attackers to send specially crafted requests that crash the service, causing a denial-of-service condition. This affects all internet-facing Ivanti VPN gateways running vulnerable versions. The vulnerability requires no authentication and can be exploited remotely.
💻 Affected Systems
- Ivanti Connect Secure
- Ivanti Policy Secure
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage of Ivanti VPN gateways, disrupting all VPN connectivity and potentially affecting business operations that rely on remote access.
Likely Case
Service crashes leading to temporary VPN unavailability until services restart automatically or manually, causing intermittent connectivity issues for remote users.
If Mitigated
With proper network segmentation and IPS/IDS controls, exploitation attempts are blocked before reaching vulnerable systems, preventing service disruption.
🎯 Exploit Status
The vulnerability requires no authentication and involves sending specially crafted IPSec requests. Given the high impact and low complexity, weaponization is likely.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Ivanti advisory for specific patched versions
Restart Required: Yes
Instructions:
1. Download the latest security patch from Ivanti support portal. 2. Apply the patch following Ivanti's documented procedures. 3. Restart the affected services or reboot the appliance as required.
🔧 Temporary Workarounds
Network-based IPSec blocking
allBlock or restrict IPSec traffic at network perimeter to prevent exploitation attempts
Rate limiting IPSec connections
allImplement rate limiting on IPSec connections to reduce impact of DoS attempts
🧯 If You Can't Patch
- Implement network segmentation to isolate Ivanti gateways from untrusted networks
- Deploy IPS/IDS systems with rules to detect and block malicious IPSec traffic patterns
🔍 How to Verify
Check if Vulnerable:
Check Ivanti appliance version against affected versions (9.x, 22.x) in the admin interfaceCheck Version:
Check via Ivanti web admin interface under System > Maintenance > Version InformationVerify Fix Applied:
Verify patch installation through Ivanti admin interface and confirm version is updated beyond vulnerable ranges📡 Detection & Monitoring
Log Indicators:
- Multiple IPSec connection failures
- Service crash logs
- Unusual IPSec traffic patterns
Network Indicators:
- Malformed IPSec packets
- Spike in IPSec connection attempts from single sources
SIEM Query:
source="ivanti_gateway" AND (event_type="service_crash" OR protocol="IPSec" AND status="failed")🔗 References
- https://forums.ivanti.com/s/article/New-CVE-2024-21894-Heap-Overflow-CVE-2024-22052-Null-Pointer-Dereference-CVE-2024-22053-Heap-Overflow-and-CVE-2024-22023-XML-entity-expansion-or-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
- https://forums.ivanti.com/s/article/New-CVE-2024-21894-Heap-Overflow-CVE-2024-22052-Null-Pointer-Dereference-CVE-2024-22053-Heap-Overflow-and-CVE-2024-22023-XML-entity-expansion-or-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
