{"id":3133,"date":"2024-05-10T13:16:45","date_gmt":"2024-05-10T05:16:45","guid":{"rendered":"https:\/\/blog.billows.com.tw\/?p=3133"},"modified":"2024-05-10T13:16:45","modified_gmt":"2024-05-10T05:16:45","slug":"mirai%e6%ae%ad%e5%b1%8d%e7%b6%b2%e8%b7%af%e5%88%a9%e7%94%a8-ivanti-connect-secure%e6%bc%8f%e6%b4%9e%e9%80%b2%e8%a1%8c%e6%83%a1%e6%84%8f%e8%b2%a0%e8%bc%89%e5%82%b3%e8%bc%b8","status":"publish","type":"post","link":"https:\/\/blog.billows.com.tw\/?p=3133","title":{"rendered":"Mirai\u6bad\u5c4d\u7db2\u8def\u5229\u7528 Ivanti Connect Secure\u6f0f\u6d1e\u9032\u884c\u60e1\u610f\u8ca0\u8f09\u50b3\u8f38"},"content":{"rendered":"\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"359\" src=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2024\/05\/image-5-1024x359.png\" alt=\"\" class=\"wp-image-3134\" srcset=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2024\/05\/image-5-1024x359.png 1024w, https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2024\/05\/image-5-300x105.png 300w, https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2024\/05\/image-5-768x269.png 768w, https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2024\/05\/image-5-1536x539.png 1536w, https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2024\/05\/image-5.png 1563w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>\u6700\u8fd1\u63ed\u9732\u7684 Ivanti Connect Secure (ICS) \u8a2d\u5099\u4e2d\u7684\u5169\u500b\u5b89\u5168\u6f0f\u6d1e\u6b63\u88ab\u7528\u4f86\u90e8\u7f72\u81ed\u540d\u662d\u8457\u7684Mirai \u6bad\u5c4d\u7db2\u8def\u3002<\/p>\n\n\n\n<p>\u6839\u64da<a href=\"https:\/\/blogs.juniper.net\/en-us\/security\/protecting-your-network-from-opportunistic-ivanti-pulse-secure-vulnerability-exploitation\">Jupiter<\/a>\u5a01\u8105\u5be6\u9a57\u5ba4\u7684\u7814\u7a76\u4eba\u54e1\u5831\u544a\u7a31&nbsp;\uff0c\u99ed\u5ba2\u6b63\u5728\u5229\u7528Connect Secure (ICS) \u548cPolicy Secure \u4e2d\u7684\u5169\u500b\u96f6\u65e5\u6f0f\u6d1e\uff08CVE-2023-46805\u3001CVE-2024-21887\uff09\u5728\u76ee\u6a19\u7db2\u95dc\u4e0a\u57f7\u884c\u9060\u7aef\u4efb\u610f\u547d\u4ee4\u3002CVE-2023-46805\uff08CVSS \u8a55\u5206 8.2\uff09 \u5b58\u5728\u65bc Ivanti ICS 9.x\u300122.x \u548c Ivanti Policy Secure \u7684 Web \u5143\u4ef6\u4e2d\uff0c\u662f\u4e00\u500b\u9a57\u8b49\u7e5e\u904e\u6f0f\u6d1e\uff0c\u653b\u64ca\u8005\u53ef\u900f\u904e\u7e5e\u904e\u63a7\u5236\u6aa2\u67e5\u4f86\u5b58\u53d6\u53d7\u9650\u8cc7\u6e90\u800c CVE-2024-21887 \u662f\u4e00\u500b\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\uff08CVSS \u8a55\u5206 9.1\uff09\uff0c\u662f Ivanti Connect Secure\uff089.x\u300122.x\uff09\u548c Ivanti Policy Secure Web \u5143\u4ef6\u4e2d\u7684\u6307\u4ee4\u6ce8\u5165\u6f0f\u6d1e\uff0c\u7d93\u904e\u8eab\u4efd\u9a57\u8b49\u7684\u7ba1\u7406\u54e1\u53ef\u4ee5\u900f\u904e\u767c\u9001\u7279\u88fd\u8acb\u6c42\u4e26\u5728\u88dd\u7f6e\u4e0a\u57f7\u884c\u4efb\u610f\u547d\u4ee4\u4f86\u5229\u7528\u8a72\u6f0f\u6d1e\u3002\u653b\u64ca\u8005\u53ef\u4ee5\u9023\u7d50\u9019\u5169\u500b\u6f0f\u6d1e\u5411\u672a\u4fee\u88dc\u7684\u7cfb\u7d71\u767c\u9001\u7279\u88fd\u8acb\u6c42\u4e26\u57f7\u884c\u4efb\u610f\u547d\u4ee4\u3002<\/p>\n\n\n\n<p>Ivanti\u767c\u5e03\u7684<a href=\"https:\/\/forums.ivanti.com\/s\/article\/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US\">\u516c\u544a\u7a31\uff0c<\/a>\u5982\u679c CVE-2024-21887 \u8207 CVE-2023-46805 \u7d50\u5408\u4f7f\u7528\uff0c\u5229\u7528\u8a72\u6f0f\u6d1e\u4e0d\u9700\u8981\u8eab\u4efd\u9a57\u8b49\uff0c\u4e26\u4f7f\u653b\u64ca\u8005\u80fd\u5920\u88fd\u4f5c\u60e1\u610f\u8acb\u6c42\u4e26\u5728\u7cfb\u7d71\u4e0a\u57f7\u884c\u4efb\u610f\u547d\u4ee4\u3002<em><\/em><\/p>\n\n\n\n<p>\u64da\u89c0\u5bdf\u5230\u7684\u5be6\u4f8b\u653b\u64ca\u8005\u5229\u7528 CVE-2023-46805 \u6f0f\u6d1e\u53d6\u5f97\u7aef\u9ede\u300c<strong>\/api\/v1\/license\/key-status\/;<\/strong><strong>\u300d\u7684<\/strong>\u5b58\u53d6\u6b0a\u9650\u3002\u7136\u5f8c\u653b\u64ca\u8005\u5229\u7528\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\u4f86\u6ce8\u5165\u4ed6\u5011\u7684\u6709\u6548\u8ca0\u8f09\u3002<\/p>\n\n\n\n<p>\u4ee5\u4e0b\u662f\u5c08\u5bb6\u89c0\u5bdf\u5230\u7684\u653b\u64ca\u4e2d\u4f7f\u7528\u7684\u8acb\u6c42\uff1a<\/p>\n\n\n\n<p><strong><em>GET \/api\/v1\/totp\/user-backup-code\/..\/..\/license\/keys-status\/{Any Command}<\/em><\/strong><em><\/em><\/p>\n\n\n\n<p>\u89c0\u5bdf\u5230\u653b\u64ca\u8005\u4f7f\u7528curl\u548c\u57fa\u65bcPython\u7684\u53cd\u5411shell\u4f86\u5229\u7528\u6b64\u6f0f\u6d1e\u7684\u5be6\u4f8b\uff0c\u4f7f\u4ed6\u5011\u80fd\u5920\u63a7\u5236\u6613\u53d7\u653b\u64ca\u7684\u7cfb\u7d71\u3002\u5c08\u5bb6\u8868\u793a\uff0c\u9047\u5230\u4e86\u900f\u904e shell \u8173\u672c\u50b3\u905e\u7684 Mirai \u6709\u6548\u8ca0\u8f09\u3002\u89c0\u5bdf\u5230\u7684\u8acb\u6c42\u4e4b\u4e00\u5305\u62ec\u4e00\u500b\u7de8\u78bc\u7684 URL\uff0c\u89e3\u78bc\u5f8c\u6703\u986f\u793a\u4e00\u500b\u547d\u4ee4\u5e8f\u5217\uff0c\u8a66\u5716\u64e6\u9664\u6a94\u6848\u3001\u5f9e\u9060\u7aef\u4f3a\u670d\u5668\u4e0b\u8f09\u8173\u672c\u3001\u8a2d\u5b9a\u53ef\u57f7\u884c\u6b0a\u9650\u4e26\u57f7\u884c\u8173\u672c\u3002\u7136\u5f8c\u8173\u672c\u700f\u89bd\u7cfb\u7d71\u76ee\u9304\uff0c\u5f9e\u7279\u5b9a URL \u4e0b\u8f09\u6a94\u6848\uff0c\u6388\u4e88\u57f7\u884c\u8a72\u6a94\u6848\u7684\u6b0a\u9650\uff0c\u4e26\u4f7f\u7528\u7279\u5b9a\u53c3\u6578\u904b\u884c\u5b83\u3002\u7814\u7a76\u4eba\u54e1\u5206\u6790\u4e86\u6709\u6548\u8ca0\u8f09\uff0c\u4e26\u5c07\u5176\u8b58\u5225\u70ba Mirai\u6a5f\u5668\u4eba\u7db2\u8def\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"220\" src=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2024\/05\/image-6-1024x220.png\" alt=\"\" class=\"wp-image-3135\" srcset=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2024\/05\/image-6-1024x220.png 1024w, https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2024\/05\/image-6-300x64.png 300w, https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2024\/05\/image-6-768x165.png 768w, https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2024\/05\/image-6.png 1138w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Photo Credit:Jupiter<\/figcaption><\/figure>\n\n\n\n<p>\u7814\u7a76\u4eba\u54e1\u9032\u4e00\u6b65\u8aaa\uff0c\u8d8a\u4f86\u8d8a\u591a\u7684\u4eba\u5617\u8a66\u5229\u7528 Ivanti Pulse Secure \u7684\u8eab\u4efd\u9a57\u8b49\u7e5e\u904e\u548c\u9060\u7aef\u7a0b\u5f0f\u78bc\u57f7\u884c\u6f0f\u6d1e\uff0c\u9019\u5c0d\u7db2\u8def\u5b89\u5168\u69cb\u6210\u4e86\u91cd\u5927\u5a01\u8105\u3002\u900f\u904e\u9019\u4e9b\u6f0f\u6d1e\u50b3\u64ad Mirai \u6bad\u5c4d\u7db2\u8def\u7684\u767c\u73fe\u7a81\u986f\u4e86\u7db2\u8def\u5a01\u8105\u4e0d\u65b7\u8b8a\u5316\u7684\u683c\u5c40\u3002Mirai \u900f\u904e\u6b64\u6f0f\u6d1e\u50b3\u64ad\u7684\u4e8b\u5be6\u4e5f\u610f\u5473\u8457\u5176\u4ed6\u6709\u5bb3\u60e1\u610f\u8edf\u9ad4\u548c\u52d2\u7d22\u8edf\u9ad4\u7684\u90e8\u7f72\u4e5f\u662f\u53ef\u4ee5\u9810\u6599\u7684\u3002\u56e0\u6b64\u4e86\u89e3\u5982\u4f55\u5229\u7528\u9019\u4e9b\u6f0f\u6d1e\u4e26\u8b58\u5225\u5b83\u5011\u9020\u6210\u7684\u7279\u5b9a\u5a01\u8105\u5c0d\u65bc\u9632\u7bc4\u6f5b\u5728\u98a8\u96aa\u81f3\u95dc\u91cd\u8981\u3002<\/p>\n\n\n\n<p>\u6709\u95dcMirai\u6bad\u5c4d\u7db2\u8def\u7684\u90e8\u5206\u5165\u4fb5\u6307\u6a19(Indicator of compromise -IOCs):<\/p>\n\n\n\n<p>53f6cedcf89fccdcb6b4b9c7c756f73be3e027645548ee7370fd3486840099c4<\/p>\n\n\n\n<p>67d989388b188a817a4d006503e5350a1a2af7eb64006ec6ad6acc51e29fdcd5<\/p>\n\n\n\n<p>9b5fe87aaa4f7ae1c375276bfe36bc862a150478db37450858bbfb3fb81123c2<\/p>\n\n\n\n<p>3e785100c227af58767f253e4dfe937b2aa755c363a1497099b63e3079209800<\/p>\n\n\n\n<p>5b20ed646362a2c6cdc5ca0a79850c7d816248c7fd5f5203ce598a4acd509f6b<\/p>\n\n\n\n<p>c27b64277c3d14b4c78f42ca9ee2438b602416f988f06cb1a3e026eab2425ffc<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u6700\u8fd1\u63ed\u9732\u7684 Ivanti Connect Secure (ICS) \u8a2d\u5099\u4e2d\u7684\u5169\u500b\u5b89\u5168\u6f0f\u6d1e\u6b63\u88ab\u7528\u4f86\u90e8\u7f72\u81ed\u540d\u662d\u8457\u7684 <a class=\"read-more\" href=\"https:\/\/blog.billows.com.tw\/?p=3133\">READ MORE<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[174],"class_list":["post-3133","post","type-post","status-publish","format-standard","hentry","category-6","tag-news"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/3133","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3133"}],"version-history":[{"count":2,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/3133\/revisions"}],"predecessor-version":[{"id":3137,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/3133\/revisions\/3137"}],"wp:attachment":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3133"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3133"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3133"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}