Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-37377

CVE-2024-37377: Ivanti Connect Secure DoS Vulnerability

CVE-2024-37377 is a heap-based buffer overflow in Ivanti Connect Secure's IPsec component that enables remote attackers to trigger denial of service. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2024-37377 Overview

CVE-2024-37377 is a heap-based buffer overflow [CWE-787] in the IPsec component of Ivanti Connect Secure and Ivanti Policy Secure. The flaw affects Ivanti Connect Secure versions prior to 22.7R2.3 and related Ivanti Policy Secure builds. A remote unauthenticated attacker can send crafted IPsec traffic to trigger the overflow and cause a denial of service on the appliance. Because Connect Secure appliances typically terminate VPN sessions at the network edge, disruption of the service directly affects remote access for the entire user base. Ivanti disclosed the issue in its December 2024 security advisory.

Critical Impact

A remote unauthenticated attacker can trigger a heap-based buffer overflow in the IPsec service to crash Ivanti Connect Secure and Policy Secure gateways, disrupting VPN access for all users.

Affected Products

  • Ivanti Connect Secure versions before 22.7R2.3 (including 22.7R1, 22.7R1.1 through 22.7R1.5, and 22.7R2 through 22.7R2.2)
  • Ivanti Policy Secure 22.7R1 and 22.7R1.1
  • IPsec service component on affected Ivanti gateway appliances

Discovery Timeline

  • 2024-12-12 - CVE-2024-37377 published to NVD alongside Ivanti's December 2024 security advisory
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-37377

Vulnerability Analysis

The vulnerability resides in the IPsec handling code of Ivanti Connect Secure and Policy Secure. The IPsec daemon processes negotiation and tunneled traffic from remote peers before authentication of a VPN user completes. An attacker can reach the vulnerable code path over the network without credentials. Successful exploitation writes attacker-controlled data beyond an allocated heap buffer, corrupting adjacent heap metadata or objects. In its currently documented form, the corruption leads to a denial of service by crashing the service process. Confidentiality and integrity are not directly impacted based on the vendor's CVSS assessment, but availability of remote access is fully lost until the appliance recovers.

Root Cause

The root cause is an out-of-bounds write [CWE-787] on the heap within the IPsec code path. The service does not correctly validate the size of an attacker-supplied field against the target buffer allocation. When the field exceeds expected bounds, the copy operation writes past the end of the heap buffer, corrupting adjacent memory and destabilizing the process.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker sends malformed IPsec packets to the appliance's public-facing IPsec listener. The malformed input triggers the overflow inside the IPsec parser. The IPsec service then terminates or hangs, dropping active VPN tunnels and blocking new connections. Repeated exploitation sustains the denial of service.

No public proof-of-concept exploit is available, and the vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS score is 1.735% at the 74.9 percentile, indicating moderate relative exploitation likelihood among scored CVEs. Because no verified exploit code has been published, this analysis describes the mechanism in prose. See the Ivanti Security Advisory December 2024 for vendor technical details.

Detection Methods for CVE-2024-37377

Indicators of Compromise

  • Unexpected crashes, restarts, or core dumps of the IPsec service process on Ivanti Connect Secure or Policy Secure appliances
  • Sudden drops of established IPsec VPN tunnels affecting multiple users simultaneously
  • Malformed IKE or ESP packets originating from untrusted source IP addresses in perimeter firewall logs
  • Gaps in appliance telemetry aligned with IPsec service restarts

Detection Strategies

  • Monitor Ivanti appliance system and daemon logs for repeated IPsec service restarts or watchdog-triggered process recovery events
  • Inspect network telemetry for anomalous IKE_SA_INIT or IKE_AUTH exchanges with oversized payload fields directed at VPN gateways
  • Correlate SNMP or syslog events indicating VPN availability loss with inbound UDP 500 and UDP 4500 traffic spikes

Monitoring Recommendations

  • Forward Ivanti appliance syslog to a centralized SIEM and alert on IPsec daemon termination events
  • Baseline normal IPsec negotiation volume and alert on sustained anomalies from single or small sets of source IPs
  • Track appliance uptime metrics and generate alerts on unplanned reboots of edge VPN gateways

How to Mitigate CVE-2024-37377

Immediate Actions Required

  • Upgrade Ivanti Connect Secure to version 22.7R2.3 or later as specified in the December 2024 Ivanti advisory
  • Upgrade Ivanti Policy Secure to the fixed version documented by Ivanti for the 22.7R1.x branch
  • Inventory all internet-facing Ivanti gateways and prioritize patching those exposed to the public internet
  • Review appliance logs for prior IPsec service crashes that may indicate exploitation attempts

Patch Information

Ivanti addressed the issue in Ivanti Connect Secure 22.7R2.3. Patch details, download instructions, and the full list of CVEs fixed in this release are documented in the Ivanti Security Advisory December 2024. Apply the update through the standard Ivanti appliance upgrade process and validate the running version after reboot.

Workarounds

  • Restrict inbound UDP 500 and UDP 4500 on the perimeter firewall to known client source IP ranges where operationally feasible
  • Disable the IPsec VPN service on affected appliances if IPsec is not required and only SSL VPN is in use
  • Place Ivanti gateways behind an upstream device capable of rate-limiting or filtering malformed IKE traffic until patches are applied
bash
# Verify installed version on an Ivanti Connect Secure appliance
# via the admin CLI, then confirm it matches or exceeds 22.7R2.3
show version

# Example firewall rule to limit IPsec exposure to known peers
iptables -A INPUT -p udp --dport 500 -s <trusted_peer_cidr> -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -s <trusted_peer_cidr> -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j DROP
iptables -A INPUT -p udp --dport 4500 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.