Beware of wild computers.

An ethical hacking blog.

Legacy versions of Ivanti Connect Secure are affected by critical and high impact vulnerabilities.

Here is a simple Nmap Scripting Engine (NSE) script that can detect older, unpatched versions of Ivanti Connect Secure installations.

The logic used in the check is based on the check function used in this Metasploit Framework module:
exploit/linux/http/ivanti_connect_secure_rce_cve_2024_21893

CVE	Score	Severity
CVE-2024-29847	10	Critical
CVE-2023-39336	9.6	Critical
CVE-2024-21887	9.1	Critical
CVE-2024-21893	8.2	High
CVE-2023-46805	8.2	High

-- ivanti-unpatched.nse
local http = require("http")
local nmap = require("nmap")

portrule = function(host, port)
  local auth_port = { number = 443, protocol = "tcp" }
  local identd = nmap.get_port_state(host, auth_port)

  return identd ~= nil and identd.state == "open" and port.protocol == "tcp" and port.state == "open"
end

function is_ivanti_unpatched(host, port)
  local response = http.get(host.ip, port.number, "/status")

  return string.find(response.body, "Pulse Secure")
end

action = function(host, port)
  if is_ivanti_unpatched(host, port) then
    return "Unpatched"
  else
    return "Unknown"
  end
end

$ nmap -sV -p443 --script ivanti-unpatched.nse 127.0.0.1

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-15 11:12 PDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000057s latency).

PORT    STATE SERVICE VERSION
443/tcp open  http    SimpleHTTPServer 0.6 (Python 3.12.3)
|_http-server-header: SimpleHTTP/0.6 Python/3.12.3
|_ivanti-unpatched: Patched

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.16 seconds

Sources:

by _tephen | last updated on 21 Sep 2024