CVE-2024-22023 Overview
An XML Entity Expansion (XEE) vulnerability exists in the SAML component of Ivanti Connect Secure (versions 9.x and 22.x) and Ivanti Policy Secure. This vulnerability allows an unauthenticated attacker to send specially crafted XML requests to temporarily cause resource exhaustion, resulting in a limited-time Denial of Service (DoS) condition. The vulnerability affects the XML parser used in SAML authentication processing, where insufficient restrictions on entity expansion can be exploited to consume server resources.
Critical Impact
Unauthenticated attackers can disrupt VPN and network access control services by exploiting XML entity expansion in SAML authentication, potentially affecting organizational connectivity and remote access capabilities.
Affected Products
- Ivanti Connect Secure 9.x (versions 9.1:r1 through 9.1:r18)
- Ivanti Connect Secure 22.x (versions 22.1 through 22.6)
- Ivanti Policy Secure 9.x (versions 9.0 through 9.1:r18)
- Ivanti Policy Secure 22.x (versions 22.1 through 22.6)
Discovery Timeline
- April 4, 2024 - CVE-2024-22023 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2024-22023
Vulnerability Analysis
This XML Entity Expansion (XEE) vulnerability resides in the SAML authentication component of Ivanti's secure access products. XEE attacks, also known as "Billion Laughs" or XML bomb attacks, exploit the way XML parsers handle entity definitions and references. When the SAML component processes authentication requests, it parses XML documents that may contain nested entity definitions. An attacker can craft malicious XML payloads where entities recursively reference other entities, causing exponential memory and CPU consumption when the parser attempts to expand all entity references.
The attack does not require authentication, as SAML requests are processed before user authentication is validated. This pre-authentication attack surface makes the vulnerability particularly concerning for internet-facing Ivanti appliances that handle remote access authentication.
Root Cause
The root cause of CVE-2024-22023 is improper handling of XML entity expansion in the SAML component's XML parser. The vulnerability stems from insufficient restrictions on the number and depth of entity expansions permitted during XML document parsing. According to the associated CWE classifications (CWE-476 and CWE-703), the application fails to properly check exceptional conditions and handle error scenarios during XML processing, allowing resource exhaustion to occur.
Attack Vector
The attack is conducted over the network against the SAML authentication endpoint. An unauthenticated attacker sends specially crafted XML requests containing deeply nested or recursively defined entities to the SAML processing component. When the vulnerable XML parser processes these requests, it attempts to expand all entity definitions, consuming available memory and CPU resources on the target appliance. This results in temporary service degradation or denial of service for legitimate users attempting to authenticate.
The attack mechanism involves crafting XML documents with entity definitions that reference other entities multiple times, creating exponential expansion. For example, an entity that references another entity ten times, which itself references another entity ten times, can result in billions of character expansions from a relatively small input document.
Detection Methods for CVE-2024-22023
Indicators of Compromise
- Abnormally large SAML authentication requests containing excessive XML entity definitions
- Sudden spikes in memory or CPU utilization on Ivanti Connect Secure or Policy Secure appliances
- Increased authentication failures or timeouts during periods of elevated resource consumption
- Web server logs showing unusual XML payloads or repeated requests to SAML endpoints
Detection Strategies
- Monitor network traffic for oversized XML payloads directed at SAML authentication endpoints
- Implement intrusion detection rules to identify XML entity expansion patterns in incoming requests
- Configure alerting for abnormal resource utilization patterns on Ivanti appliances
- Review web application firewall logs for blocked or flagged XML-based attacks
Monitoring Recommendations
- Enable detailed logging on Ivanti Connect Secure and Policy Secure appliances for SAML authentication events
- Set up performance monitoring dashboards to track CPU, memory, and request processing times
- Configure threshold-based alerts for resource consumption anomalies that may indicate ongoing exploitation
- Correlate authentication service availability with network traffic patterns to identify attack attempts
How to Mitigate CVE-2024-22023
Immediate Actions Required
- Apply the latest security patches from Ivanti as documented in the Ivanti Security Advisory
- Review and update network access controls to limit exposure of SAML authentication endpoints
- Enable web application firewall rules to filter potentially malicious XML payloads
- Monitor appliance health metrics closely during the patching process
Patch Information
Ivanti has released security patches addressing this vulnerability along with related issues (CVE-2024-21894, CVE-2024-22052, CVE-2024-22053). Organizations should consult the Ivanti Security Advisory for specific patch versions and installation instructions for their deployed product versions. Given the wide range of affected versions (9.x and 22.x branches), organizations should verify their current version and apply the appropriate patch.
Workarounds
- Deploy a web application firewall (WAF) with XML attack detection capabilities in front of Ivanti appliances
- Implement rate limiting on SAML authentication endpoints to slow potential exploitation attempts
- Consider network segmentation to restrict access to authentication endpoints from untrusted networks
- If SAML authentication is not required, evaluate temporarily disabling it until patches can be applied
# Example: Configure rate limiting at the network level (implementation varies by firewall vendor)
# Limit connections to SAML endpoint to mitigate DoS impact
# Consult your firewall documentation for specific syntax
# Monitor system resources on Ivanti appliance
top -b -n 1 | head -20
# Check current authentication service status
# Refer to Ivanti documentation for appliance-specific commands
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
