Ivanti Connect Secure Vulnerability Alert | January 2024

There are critical vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure under active exploitation. Here's what you need to know.

Update (1/31/2024)

Ivanti released two additional vulnerabilities (CVE-2024-21893 & CVE-2024-21888) for Ivanti Connect Secure and Ivanti Policy Secure gateways. This now comprises four vulnerabilities under active exploitation. We have updated this article to include new information including available security patches. Since the vulnerabilities are under active exploitation, affected organizations must take remediation steps immediately.

With the growing concerns about security vulnerabilities associated with VPN solutions, zero trust network access (ZTNA) emerges as a promising alternative. Unlike traditional VPNs, ZTNA offers remote access in a more secure manner by implementing stringent access controls and continuous authentication protocols. This approach minimizes the risk of unauthorized access and data breaches, providing a safer environment for remote workers and sensitive information. At this time, some vendors are offering free 90-day trials of ZTNA, allowing organization to evaluate their effectiveness firsthand. Learn more about Zero Trust Network Access (ZTNA) here

 

Background

On January 10, 2024, Ivanti issued a security advisory for two critical security vulnerabilities (CVE-2023-46805 & CVE-2024-21887). The vulnerabilities affect Ivanti Connect Secure and Ivanti Policy Secure gateways, products commonly used to facilitate secure remote access. Security patches are being released and Ivanti has published guidance to mitigate the risk if your organization isn't able to patch right away. These actions should be taken immediately to prevent unauthorized access.

Impact

The vulnerabilities enable a remote attacker to bypass authentication mechanisms in the web-based login portal, bypass SAML authentication, and escalate privileges to those of an administrator. This leads to the ability to execute remote code or take other malicious action on the appliance. These vulnerabilities impact all supported versions of the products – versions 9.x and 22.x. Threat actors are actively exploiting these security flaws.

Security patches have been released according to a staggered schedule. See here for a detailed schedule of the patch releases. Some security patches are already available including Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1) and ZTA version 22.6R1.3.

Next steps for Ivanti customers:

1. Download and install the latest patch via the Ivanti customer download portal here.
   1. Note: Ivanti is recommending as a best practice that all customers factory reset their appliance before applying the patch to prevent the threat actor from gaining upgrade persistence in your environment. Refer to this article for instructions on how to factory reset your appliance.
2. If you are unable to patch, as a temporary workaround, download and import the following file (mitigation.release.20240126.5.xml) from Ivanti’s download portal (requires customer login):
   1. Unzip the XML file.
   2. Import the unzipped XML file into any one node of a Cluster.

Note: this mitigation may impact a number of features in your product. See here for more details on what this will affect. Ivanti did not test this mitigation on unsupported versions. Please ensure you are running a supported version of your product prior to applying this mitigation.

3. Ivanti recommends running the external Integrity Checker Tool (ICT) (ensure you are running the latest version of ICT).

1. 1. See Volexity’s blog post for more information on malicious activity to look for.

          b.   Contact Ivanti Support and our Risk Advisory Team if you find anything suspicious.

 

Additional Resources: 

https://help.corvusinsurance.com/zero-trust-network-access-ztna

https://start.paloaltonetworks.com/get-help-for-Ivanti-VPN-exploit

https://www.netskope.com/replace-ivanti-vpn