Heap overflow in IPSec of Ivanti Connect Secure
CVE-2024-22053 Published on April 4, 2024

A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack or in certain conditions read contents from memory.

NVD

Weakness Type

Improper Check or Handling of Exceptional Conditions

The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software.

Products Associated with CVE-2024-22053

stack.watch emails you whenever new vulnerabilities are published in Ivanti Connect Secure or Ivanti Policy Secure. Just hit a watch button to start following.

Ivanti Connect Secure

Ivanti Policy Secure

Affected Versions

Ivanti Connect Secure:

Version 22.1R6.2 and below 22.1R6.2 is affected.
Version 22.2R4.2 and below 22.2R4.2 is affected.
Version 22.3R1.2 and below 22.3R1.2 is affected.
Version 22.4R1.2 and below 22.4R1.2 is affected.
Version 22.4R2.4 and below 22.4R2.4 is affected.
Version 22.5R1.3 and below 22.5R1.3 is affected.
Version 22.5R2.4 and below 22.5R2.4 is affected.
Version 22.6R2.3 and below 22.6R2.3 is affected.
Version 9.1R14.6 and below 9.1R14.6 is affected.
Version 9.1R15.4 and below 9.1R15.4 is affected.
Version 9.1R16.4 and below 9.1R16.4 is affected.
Version 9.1R17.4 and below 9.1R17.4 is affected.
Version 9.1R18.5 and below 9.1R18.5 is affected.

Ivanti Policy Secure:

Version 22.4R1.2 and below 22.4R1.2 is affected.
Version 22.5R1.3 and below 22.5R1.3 is affected.
Version 22.6R1.2 and below 22.6R1.2 is affected.
Version 9.1R16.4 and below 9.1R16.4 is affected.
Version 9.1R17.4 and below 9.1R17.4 is affected.
Version 9.1R18.5 and below 9.1R18.5 is affected.

ivanti connect_secure:

Version 9.1R18.5 is affected.
Version 22.6R2.3 is affected.
Version 9.1R17.4 is affected.
Version 22.2R3 is affected.
Version 22.5R2.4 is affected.
Version 9.1R14.6 is affected.
Version 9.1R15.4 is affected.
Version 22.2R4.2 is affected.
Version 22.4R1.2 is affected.
Version 22.6R1.2 is affected.
Version 22.1R6.2 is affected.
Version 22.3R1.2 is affected.
Version 22.4R2.4 is affected.
Version 22.5R1.3 is affected.

ivanti policy_secure:

Version 22.5R1.3 is affected.
Version 9.1R18.5 is affected.
Version 9.1R17.4 is affected.
Version 22.2R3 is affected.

ivanti connect_secure:

Version 9.1R18.5 is affected.
Version 22.6R2.3 is affected.
Version 9.1R17.4 is affected.
Version 22.2R3 is affected.
Version 22.5R2.4 is affected.
Version 9.1R14.6 is affected.
Version 9.1R15.4 is affected.
Version 22.2R4.2 is affected.
Version 22.4R1.2 is affected.
Version 22.6R1.2 is affected.
Version 22.1R6.2 is affected.
Version 22.3R1.2 is affected.
Version 22.4R2.4 is affected.
Version 22.5R1.3 is affected.

ivanti policy_secure:

Version 22.4R1.2 is affected.
Version 22.5R1.3 is affected.
Version 22.6R1.2 is affected.
Version 9.1R16.4 is affected.
Version 9.1R17.4 is affected.
Version 9.1R18.5 is affected.

Exploit Probability

EPSS

7.42%

Percentile

91.58%