{"id":3373,"date":"2024-10-16T14:32:52","date_gmt":"2024-10-16T06:32:52","guid":{"rendered":"https:\/\/blog.billows.com.tw\/?p=3373"},"modified":"2024-10-16T14:45:54","modified_gmt":"2024-10-16T06:45:54","slug":"%e7%96%91%e4%bc%bc%e5%9c%8b%e5%ae%b6%e7%b4%9a%e9%a7%ad%e5%ae%a2%e5%88%a9%e7%94%a8-ivanti-%e9%9b%b2%e7%ab%af%e6%9c%8d%e5%8b%99%e8%a8%ad%e5%82%99-csa-%e4%b8%ad%e7%9a%84%e9%9b%b6%e6%97%a5%e6%bc%8f","status":"publish","type":"post","link":"https:\/\/blog.billows.com.tw\/?p=3373","title":{"rendered":"\u7591\u4f3c\u4e2d\u570b\u570b\u5bb6\u7d1a\u99ed\u5ba2\u5229\u7528 Ivanti \u96f2\u7aef\u670d\u52d9\u8a2d\u5099 (CSA) \u4e2d\u7684\u96f6\u65e5\u6f0f\u6d1e\u767c\u52d5\u653b\u64ca"},"content":{"rendered":"\n<p>Ivanti Cloud Service Appliance (CSA) \u7684\u4e09\u500b\u96f6\u65e5\u6f0f\u6d1e\u906d\u5230\u99ed\u5ba2\u5229\u7528<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"728\" height=\"380\" src=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2024\/10\/ivanti.webp\" alt=\"\" class=\"wp-image-3374\" srcset=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2024\/10\/ivanti.webp 728w, https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2024\/10\/ivanti-300x157.webp 300w\" sizes=\"auto, (max-width: 728px) 100vw, 728px\" \/><figcaption class=\"wp-element-caption\">Photo Credit: The Hacker News<\/figcaption><\/figure>\n\n\n\n<p>Fortinet (\u7db2\u8def\u5b89\u5168\u516c\u53f8) FortiGuard Labs \u7684\u7814\u7a76\u4eba\u54e1\u8b66\u544a\uff0c\u7591\u4f3c\u570b\u5bb6\u652f\u6301\u7684\u7db2\u8def\u5a01\u8105\u8005\u6b63\u5728\u5229\u7528 Ivanti (IT\u8edf\u9ad4\u516c\u53f8) \u96f2\u7aef\u670d\u52d9\u8a2d\u5099 Cloud Service Appliance (CSA) \u4e2d\u7684\u4e09\u500b\u96f6\u65e5\u6f0f\u6d1e\u4f86\u9032\u884c\u60e1\u610f\u6d3b\u52d5\u3002<\/p>\n\n\n\n<p>\u9019\u4e09\u500b\u6f0f\u6d1e\u5206\u5225\u662f\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><a href=\"https:\/\/securityaffairs.com\/169553\/hacking\/ivanti-csa-zero-days-actively-exploited.html\">CVE-2024-9380<\/a>&nbsp;<\/strong>(CVSS \u5206\u6578\uff1a7.2) \u2013 Ivanti CSA 5.0.2 \u4e4b\u524d\u7248\u672c\u7684\u7ba1\u7406\u54e1\u7db2\u9801\u63a7\u5236\u53f0\u4e2d\u5b58\u5728\u7684\u4f5c\u696d\u7cfb\u7d71\u6307\u4ee4\u6ce8\u5165\u6f0f\u6d1e\u3002\u5177\u6709\u7ba1\u7406\u54e1\u6b0a\u9650\u7684\u9060\u7aef\u8eab\u4efd\u9a57\u8b49\u653b\u64ca\u8005\u53ef\u5229\u7528\u8a72\u6f0f\u6d1e\u57f7\u884c\u9060\u7aef\u7a0b\u5f0f\u78bc\u3002<\/li>\n\n\n\n<li><strong><a href=\"https:\/\/securityaffairs.com\/169553\/hacking\/ivanti-csa-zero-days-actively-exploited.html\">CVE-2024-8190<\/a><\/strong> (CVSS \u5206\u6578\uff1a7.2) \u2013 Ivanti CSA 4.6 Patch 518 \u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u7684\u6307\u4ee4\u6ce8\u5165\u6f0f\u6d1e\u3002\u5177\u5099\u7ba1\u7406\u54e1\u6b0a\u9650\u7684\u9060\u7aef\u8eab\u4efd\u9a57\u8b49\u653b\u64ca\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u9032\u884c\u9060\u7aef\u7a0b\u5f0f\u78bc\u7684\u57f7\u884c\u3002<\/li>\n\n\n\n<li><strong><a href=\"https:\/\/securityaffairs.com\/169553\/hacking\/ivanti-csa-zero-days-actively-exploited.html\">CVE-2024-8963<\/a><\/strong> (CVSS \u5206\u6578\uff1a9.4) \u2013 Ivanti CSA 4.6 Patch 519 \u4e4b\u524d\u7684\u7248\u672c\u5b58\u5728\u8def\u5f91\u904d\u6b77 (path traversal) \u6f0f\u6d1e\u3002\u672a\u7d93\u8eab\u4efd\u9a57\u8b49\u7684\u9060\u7aef\u653b\u64ca\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u5b58\u53d6\u90e8\u5206\u529f\u80fd\u3002<\/li>\n<\/ul>\n\n\n\n<p>\u800c\u5176\u4e2d\u6700\u4e3b\u8981\u7684\u6f0f\u6d1e\u662f CVE-2024-8190\uff0c\u5b83\u5141\u8a31\u9060\u7aef\u57f7\u884c\u7a0b\u5f0f\u78bc\u3002\u7136\u800c\uff0c\u5229\u7528\u8a72\u6f0f\u6d1e\u9700\u8981\u66f4\u9ad8\u7684\u6b0a\u9650\uff0c\u653b\u64ca\u8005\u5c07\u6b64\u6f0f\u6d1e\u8207\u5176\u4ed6 CSA \u6f0f\u6d1e\uff08\u4f8b\u5982 CVE-2024-8963\u3001CVE-2024-9379 \u548c CVE-2024-9380\uff09\u806f\u5408\u8d77\u4f86\u5229\u7528\uff0c\u4ee5\u9054\u5230\u8a8d\u8b49\u6240\u9700\u3002<\/p>\n\n\n\n<p>\u6839\u64da\u7db2\u8def\u5b89\u5168\u516c\u53f8 Fortinet \u7684\u5206\u6790\uff0c\u653b\u64ca\u8005\u5229\u7528\u9019\u4e9b CSA \u96f6\u65e5\u6f0f\u6d1e\u5165\u4fb5\u7cfb\u7d71\uff0c\u7136\u5f8c\u9032\u884c\u6a6b\u5411\u79fb\u52d5\u3001\u90e8\u7f72 web shell (\u4e00\u7a2e\u7db2\u9801\u60e1\u610f\u7a0b\u5f0f)\u3001\u8490\u96c6\u8cc7\u8a0a\u3001\u9032\u884c\u6383\u63cf\u548c\u66b4\u529b\u7834\u89e3\u653b\u64ca (Brute-force attack)\uff0c\u4e26\u5229\u7528\u88ab\u99ed\u7684 Ivanti \u8a2d\u5099\u4f86\u4ee3\u7406\u6d41\u91cf (proxying traffic)\u3002<\/p>\n\n\n\n<p>Fortinet \u7684\u516c\u544a\u6307\u51fa\uff1a\u300c\u6211\u5011\u89c0\u5bdf\u5230\u6709\u9ad8\u968e\u7db2\u8def\u653b\u64ca\u8005\u5229\u7528\u9019\u4e09\u500b\u5f71\u97ff Ivanti CSA \u7684\u6f0f\u6d1e\u3002\u5728\u6211\u5011\u8457\u624b\u8abf\u67e5\u6642\uff0c\u9019\u5176\u4e2d\u7684\u5169\u500b\u6f0f\u6d1e\u9084\u5c1a\u672a\u88ab\u516c\u958b\u3002\u6b64\u6b21\u4e8b\u4ef6\u986f\u793a\u4e86\u7db2\u8def\u5a01\u8105\u8005\u5982\u4f55\u4e32\u806f\u591a\u500b\u96f6\u65e5\u6f0f\u6d1e\u4ee5\u53d6\u5f97\u76ee\u6a19\u7db2\u8def\u7684\u521d\u59cb\u5b58\u53d6\u6b0a\u3002\u300d<\/p>\n\n\n\n<p>\u7db2\u8def\u653b\u64ca\u8005\u5229\u7528\u96f6\u65e5\u6f0f\u6d1e\u7372\u53d6\u672a\u7d93\u8eab\u4efd\u9a57\u8b49\u7684 CSA \u5b58\u53d6\u6b0a\uff0c\u5217\u8209 (enumerate) CSA \u8a2d\u5099\u4e2d\u7684\u7528\u6236\uff0c\u4e26\u8a66\u5716\u53d6\u5f97\u4ed6\u5011\u7684\u6191\u8b49\u3002\u4e00\u65e6\u653b\u64ca\u8005\u53d6\u5f97\u4e86 gsbadmin \u548c admin \u6191\u8b49\u5f8c\uff0c\u4fbf\u53ef\u5229\u7528 \/gsb\/reports.php \u4e2d\u7684\u6307\u4ee4\u6ce8\u5165\u6f0f\u6d1e\uff0c\u4e26\u4e14\u90e8\u7f72\u4e00\u7a2eweb shell\u300chelp.php\u300d\u3002<\/p>\n\n\n\n<p>2024 \u5e74 9 \u6708 10 \u65e5\uff0c<a href=\"https:\/\/securityaffairs.com\/168617\/security\/ivanti-cloud-services-appliance-cve-2024-8963.html\">Ivanti \u91dd\u5c0d CVE-2024-8190<\/a> \u767c\u5e03\u4e86\u901a\u5831\uff0c\u906d\u99ed\u7db2\u8def\u4e2d\u7684\u5a01\u8105\u653b\u64ca\u8005\u300c\u4fee\u88dc\u300d\u4e86\u5728 DateTimeTab.php \u548c reports.php \u4e2d\u88ab\u5229\u7528\u7684\u6307\u4ee4\u6ce8\u5165\u6f0f\u6d1e\uff0c\u5176\u539f\u56e0\u53ef\u80fd\u662f\u70ba\u4e86\u9632\u7bc4\u5176\u4ed6\u5165\u4fb5\u8005\u4e5f\u5229\u7528\u9019\u4e9b\u6f0f\u6d1e\u3002\u653b\u64ca\u8005\u5c07\u53c3\u6578 TW_ID \u548c TIMEZONE \u4e2d\u7684\u5206\u865f\u66ff\u63db\u70ba\u5e95\u7dda\uff0c\u81f4\u4f7f\u9019\u4e9b\u6f0f\u6d1e\u7121\u6548\u3002\u6b64\u6280\u8853\u5df2\u7d93\u904e\u6e2c\u8a66\u8b49\u5be6\uff0c\u7531\u6b64\u53ef\u4ee5\u770b\u51fa\u7db2\u8def\u653b\u64ca\u8005\u8a66\u5716\u7368\u4f54\u4fb5\u5165\u74b0\u5883\u7684\u5b58\u53d6\u6b0a\u3002<\/p>\n\n\n\n<p>Fortinet \u7684\u7814\u7a76\u4eba\u54e1\u5728\u9032\u884c\u8a18\u61b6\u9ad4\u5206\u6790\u6642\u767c\u73fe\uff0c\u7db2\u8def\u5a01\u8105\u8005\u4f7f\u7528\u4e86\u4e00\u7a2e\u540d\u70ba ReverseSocks5 \u7684\u4ee3\u7406\u5de5\u5177\uff0c\u900f\u904e CSA \u8a2d\u5099\u767c\u52d5\u5167\u90e8\u7db2\u8def\u653b\u64ca\u30022024 \u5e74 9 \u6708 7 \u65e5\u7684\u65e5\u8a8c\u986f\u793a\uff0c\u653b\u64ca\u8005\u8a66\u5716\u5728\u53d7\u611f\u67d3\u7684\u7cfb\u7d71\u4e0a\u90e8\u7f72 Linux \u6838\u5fc3\u6a21\u7d44 rootkit (\u507d\u88dd\u6210\u9a45\u52d5\u7a0b\u5f0f\u8f09\u5165\u5230\u4f5c\u696d\u7cfb\u7d71\u6838\u5fc3\u4e2d\u7684\u60e1\u610f\u8edf\u9ad4)\uff0c\u53ef\u80fd\u662f\u70ba\u4e86\u5373\u4f7f\u8a2d\u5099\u6062\u5fa9\u51fa\u5ee0\u8a2d\u7f6e\uff0c\u4f9d\u820a\u80fd\u5920\u7dad\u6301\u6301\u7e8c\u6027\u7684\u5b58\u53d6\u6b0a\u9650\u3002\u9019\u90e8\u5206\u4e5f\u8207\u4e4b\u524d Ivanti CSA \u8a2d\u5099\u906d\u5165\u4fb5\u7684\u5831\u544a\u5167\u5bb9\u4e00\u81f4\u3002<\/p>\n\n\n\n<p>\u5831\u544a\u7e3d\u7d50\u9053\uff1a\u300c\u6211\u5011\u89c0\u5bdf\u5230\u6709\u9ad8\u968e\u7684\u7db2\u8def\u653b\u64ca\u8005\u5229\u7528\u4e26\u4e32\u806f\u96f6\u65e5\u6f0f\u6d1e\uff0c\u85c9\u4ee5\u5efa\u7acb\u9032\u8ecd\u76ee\u6a19\u7db2\u8def\u7684\u524d\u54e8\u7ad9\u3002\u66f4\u591a\u95dc\u65bc Ivanti CSA \u96f6\u65e5\u653b\u64ca\u7684\u8a73\u60c5\u53ef\u53c3\u95b1\u6211\u5011\u7684\u5a01\u8105\u4fe1\u865f\u5831\u544a<a href=\"https:\/\/www.fortiguard.com\/threat-signal-report\/5556\">https:\/\/www.fortiguard.com\/threat-signal-report\/5556<\/a>\u3002\u300d<\/p>\n\n\n\n<p>Fortinet \u4e5f\u63d0\u5230\uff0c\u9019\u6b21\u653b\u64ca\u53ef\u80fd\u662f\u7531\u67d0\u500b\u570b\u5bb6\u652f\u6301\u7684\u99ed\u5ba2\u7d44\u7e54\u6240\u767c\u52d5\u7684\uff0c\u76ee\u524d\u5c1a\u672a\u78ba\u8a8d\u5177\u9ad4\u7684\u5a01\u8105\u7d44\u7e54\u8eab\u4efd\u3002\u7136\u800c\uff0c\u6709\u7814\u7a76\u4eba\u54e1\u6307\u51fa\uff0cFortinet \u516c\u5e03\u7684\u4e00\u500b\u4f5c\u70ba\u5165\u4fb5\u6307\u6a19 (IoC) \u7684 IP\uff0c\u5148\u524d\u66fe\u88ab\u6b78\u548e\u65bc UNC4841\uff0c\u9019\u662f\u4e00\u500b\u8207\u4e2d\u570b\u6709\u95dc\u806f\u7684\u99ed\u5ba2\u7d44\u7e54\uff0c\u8a72\u7d44\u7e54\u5728 2023 \u5e74\u672b\u88ab\u767c\u73fe\u5230\u4ed6\u5011\u5229\u7528\u7db2\u8def\u8a2d\u5099\u5ee0\u5546 Barracuda \u7522\u54c1\u7684\u96f6\u65e5\u6f0f\u6d1e\u9032\u884c\u6d3b\u52d5\u3002<\/p>\n\n\n\n<p>\u773e\u6240\u5468\u77e5\uff0c\u4e2d\u570b\u652f\u6301\u7684\u99ed\u5ba2\u7d44\u7e54\u6703\u5728\u5176\u884c\u52d5\u4e2d\u5229\u7528 Ivanti \u7522\u54c1\u7684\u96f6\u65e5\u6f0f\u6d1e\u3002\u53e6\u5916\u503c\u5f97\u6ce8\u610f\u7684\u662f\uff0cFortinet \u7684\u6700\u65b0\u5831\u544a\u4e2d\u63d0\u5230\uff0c\u90e8\u5206\u89c0\u5bdf\u5230\u7684\u60e1\u610f\u6d3b\u52d5\u8207\u4e4b\u524d\u4e2d\u570b\u6709\u95dc\u806f\u7684 Ivanti \u7db2\u8def\u653b\u64ca\u4e8b\u4ef6\u975e\u5e38\u985e\u4f3c\u3002<\/p>\n\n\n\n<p>Ivanti CSA\u96f6\u65e5\u6f0f\u6d1e\u76f8\u95dc\u7684\u90e8\u5206\u7684\u5165\u4fb5\u6307\u6a19\uff08IOCs\uff09:<\/p>\n\n\n\n<p>64efc1aad330ea9d98c0c705e16cd4b3af7e74f8<\/p>\n\n\n\n<p>beb723a5f20a1a2c4375f9aa250d968d55155689<\/p>\n\n\n\n<p>6edd7b3123de985846a805931ca8ee5f6f7ed7b160144aa0e066967bc7c0423a<\/p>\n\n\n\n<p>8d016d02f8fbe25dce76481a90dd0b48630ce9e74e8c31ba007cf133e48b8526<\/p>\n\n\n\n<p>d57a2cac394a778e19ce9b926f2e0a71936510798f30d20f207f2a49b49ce7b1<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ivanti Cloud Service Appliance (CSA) \u7684\u4e09\u500b\u96f6\u65e5\u6f0f\u6d1e\u906d\u5230\u99ed\u5ba2\u5229\u7528 Fort <a class=\"read-more\" href=\"https:\/\/blog.billows.com.tw\/?p=3373\">READ MORE<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[183,174],"class_list":["post-3373","post","type-post","status-publish","format-standard","hentry","category-6","tag-iocs","tag-news"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/3373","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3373"}],"version-history":[{"count":4,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/3373\/revisions"}],"predecessor-version":[{"id":3380,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/3373\/revisions\/3380"}],"wp:attachment":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3373"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3373"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3373"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}