Denial of Service in Ivanti Secure Access Client Driver

See all Vulnerability notices

Date: 10-11-2023

CVE NUMBER

CVE-2023-38543

CVSS SCORE

8.2 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

SUMMARY

Ivanti's Secure Access Client (formerly Pulse Secure Access Client), an enterprise VPN client, is vulnerable to improper input validation. The vulnerability exists inside one of the kernel drivers included in the software package named `jnprva.sys`. Exploiting this vulnerability could lead to a denial of service of the local system.

Impacted Versions

The bug has been present since at least 2018. At least the following versions are affected.

• Pulse Secure VPN version 9.1R18 and lower.
• Ivanti Secure Access version 22.6R1 and lower.

DETAILS

Several IOCTL handlers (for example `0x80002018`) inside the `jnprva.sys` driver perform pointer dereferences on improperly validated input data. Passing an invalid pointer value for the following input field will result in a blue screen:

The result:

TIMELINE

• 16-03-2023 – Initial notice to DIVD
• 20-03-2023 – First reply from Ivanti regarding their responsible disclosure policy
• 13-06-2023 – Northwave shares vulnerability details and PoC with Ivanti
• 09-09-2023 – Ivanti notifies Northwave of planned patch release date
• 17-10-2023 – Planned Vendor Patch Release (not achieved)
• 09-11-2023 – Vendor Patch Release
• 09-11-2023 – Public Release

REFERENCE

Ivanti Security Advisory: https://forums.ivanti.com/s/article/Security-fixes-included-in-the-latest-Ivanti-Secure-Access-Client-Release

Northwave published an extensive blog post with all details of the vulnerability: https://northwave-cybersecurity.com/ivanti-pulse-vpn-privilege-escalation”.

CREDIT

Discovered by Tijme Gommers & Alex Oudenaarden of Northwave Cybersecurity.