KQL Search

Query Details

HomeAI ToolsDevice Query

CVES Cases

Query

**šˆšÆššš§š­š¢ š•š®š„š§šžš«ššš›š¢š„š¢š­š¢šžš¬ š‚š•š„-šŸšŸŽšŸšŸ“-šŸŽšŸšŸ–šŸ (šŸ—.šŸŽ Critical šŸŽ-šƒššš² š•š®š„š§.) ššš§š š‚š•š„-šŸšŸŽšŸšŸ“-šŸŽšŸšŸ–šŸ‘ (šŸ•.šŸŽ High)**

š‚š•š„-šŸšŸŽšŸšŸ“-šŸŽšŸšŸ–šŸ  9.0 (Critical) 
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution. 

š‚š•š„-šŸšŸŽšŸšŸ“-šŸŽšŸšŸ–šŸ‘ 7.0 (High)
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges. 

This query detect previous versions of Ivanti Connect Secure 22.7R2.5 to be updated ASAP using the patch provided by Ivanti.

**Ivanti Secure Access Client**:
ivanti_secure_access = VPN client Only
pulse_application_launcher = VPN client with launcher (needed for MFA login with mini browser in client )


```
DeviceTvmSoftwareInventory
| where SoftwareVendor has "ivanti"
| extend SoftwareVersionD =replace_string(SoftwareVersion,".","")
| extend firstDigits = toint(substring(SoftwareVersionD,0,5))
| where firstDigits < 22731 and (SoftwareName startswith "ivanti_secure_access" or SoftwareName has "pulse_application_launcher" )
| distinct DeviceName,SoftwareVersion, SoftwareName, SoftwareVendor ```

Explanation

This query is designed to identify devices that have outdated versions of certain Ivanti software, which are vulnerable to specific security issues. Here's a breakdown of what the query does:

  1. Data Source: It looks at the DeviceTvmSoftwareInventory, which is a database of software installed on devices.

  2. Filter by Vendor: It filters the records to only include software from the vendor "Ivanti".

  3. Version Processing:

    • It removes the dots from the SoftwareVersion to create a numeric string (SoftwareVersionD).
    • It extracts the first five digits of this numeric string to create firstDigits.

  4. Version Check:

    • It checks if firstDigits is less than 22731. This is a way to identify versions of the software that are older than 22.7R2.5, which are vulnerable to the specified CVEs.

  5. Software Type:

    • It further filters the results to include only specific software types: "ivanti_secure_access" or "pulse_application_launcher". These are types of VPN clients, with the latter being necessary for multi-factor authentication (MFA) login.

  6. Output:

    • It lists distinct devices (DeviceName) along with the software version and name, which need to be updated to mitigate the vulnerabilities.

In simple terms, this query helps identify devices running outdated and vulnerable Ivanti VPN software that should be updated immediately to protect against critical security threats.

Details

Sergio Albea profile picture

Sergio Albea

Released: January 9, 2025

Tables

DeviceTvmSoftwareInventory

Keywords

DeviceTvmSoftwareInventorySoftwareVendorSoftwareVersionSoftwareNameDeviceName

Operators

hasextendreplace_stringtointsubstringstartswithdistinct

Actions