Skip to content
arrow-alt-circle-up icon

Cyber Incident Call

arrow-alt-circle-up icon

00800 1744 0000

arrow-alt-circle-up icon

 

See all Vulnerability notices

Date: 10-11-2023

CVE NUMBER

CVE-2023-38043

CVSS SCORE

9.3 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

SUMMARY

Ivanti's Secure Access Client (formerly Pulse Secure Access Client), an enterprise VPN client, is vulnerable to an arbitrary kernel function call vulnerability. The vulnerability exists inside one of the kernel drivers included in the software package named `jnprva.sys`. Exploiting this vulnerability could lead to code execution in the kernel or privilege escalation from an unprivileged user context.

Impacted Versions

The bug has been present since at least 2018. At least the following versions are affected.

  • Pulse Secure VPN version 9.1R18 and lower.
  • Ivanti Secure Access version 22.6R1 and lower.

DETAILS

The handler for IOCTL number `0x8000204C` interprets part of the user-controlled input buffer as a pointer to an `IO_CSQ` struct. The pointer is passed to the kernel API `IoCsqRemoveIrp`:

Picture 2

`IoCsqRemoveIrp` calls 3 pointers that are contained inside the `IO_CSQ` struct. Passing a pointer to the kernel function `HalMakeBeep` in our input buffer and calling the IOCTL will result in the execution of the API:

Picture 3

TIMELINE

  • 16-03-2023 – Initial notice to DIVD
  • 20-03-2023 – First reply from Ivanti regarding their responsible disclosure policy
  • 13-06-2023 – Northwave shares vulnerability details and PoC with Ivanti
  • 09-09-2023 – Ivanti notifies Northwave of planned patch release date
  • 17-10-2023 – Planned Vendor Patch Release (not achieved)
  • 09-11-2023 – Vendor Patch Release
  • 09-11-2023 – Public Release

REFERENCE

Ivanti Security Advisory: https://forums.ivanti.com/s/article/Security-fixes-included-in-the-latest-Ivanti-Secure-Access-Client-Release

CREDIT

Discovered by Tijme Gommers & Alex Oudenaarden of Northwave Cybersecurity.


Disclaimer

Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.