After delays, Ivanti has rolled out its first round of patches for two known actively exploited vulnerabilities in its Ivanti Connect Secure VPN and Ivanti Policy Secure appliances. Customers are being urged to immediately apply the patches, as the flaws are being widely exploited by threat actors.
Ivanti on Wednesday said that as part of its investigations into the two known vulnerabilities (CVE-2024-21887 and CVE-2023-46805), which were first disclosed on Jan. 10, it discovered two new flaws in the web components of Connect Secure and Policy Secure, a privilege escalation bug (CVE-2024-21888) and a server-side request forgery bug that gives threat actors access to “certain restricted resources” without authentication (CVE-2024-21893). While Ivanti said it so far has seen no evidence of exploitation of CVE-2024-21888, it is now “aware of a small number of customers” impacted by exploits of CVE-2024-21893. The patches released on Wednesday fix all four flaws.
“CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893 are all remediated with the patch,” said Ivanti in a Wednesday update. “There is also a new mitigation available to address the new vulnerabilities while the rest of the patches are in development to prioritize the best interest of our customers. Customers who have applied the patch do not need to apply the mitigation.”
Widespread Exploitation Involves New Malware
The two initial Ivanti flaws can be chained together by threat actors to craft malicious requests and execute arbitrary commands on the system, all without authentication. Mandiant researchers previously found zero-day exploitation of the flaws in the wild starting Dec. 3, by a China-nexus espionage threat actor tracked as UNC5221. However, on Wednesday they said that this exploitation activity has broadened as threat actors leverage the flaws in attacks that capture credentials or drop webshells to enable further compromise of enterprise networks.
“Mandiant has identified broad exploitation activity following the disclosure of the two vulnerabilities, both by UNC5221 and other uncategorized threat groups," said Matt Lin, Robert Wallace, John Wolfram, Dimiter Andonov and Tyler McLellan with Mandiant. "Mandiant assesses that a significant portion of the post-advisory activity has been performed through automated methods.”
The recently observed exploitation activity of these flaws has involved more actors, but also new types of malware, including a custom webshell called BUSHWALK being used to bypass an initial mitigation measure provided by Ivanti on Jan. 10, in “highly targeted, limited” attacks “distinct from the post-advisory mass exploitation activity.”
“The external ICT successfully detected the presence of the new web shell,” said Mandiant researchers. “We have observed the threat actor clean up traces of their activity and restore the system to a clean state after deploying BUSHWALK through the mitigation bypass technique. The ICT is a snapshot of the current state of the appliance and cannot necessarily detect threat actor activity if they have returned the appliance to a clean state. In addition, the patches address and fix the mitigation bypass.”
Researchers also found a number of webshells, called CHAINLINE and FRAMESTING, which are embedded in Ivanti Connect Secure Python packages and allow for arbitrary command execution, as well as new variants of a malware called WARPWIRE that target and exfiltrate plaintext passwords and usernames. Researchers advised Ivanti customers potentially impacted by this malware to take extra steps to ensure passwords have been reset.
“In addition to resetting the password of any local user configured on the appliance, Mandiant advises that organizations affected by the WARPWIRE credential stealer reset passwords of any users who authenticated to the appliance during the period when the malware was active,” according to researchers.
New Patches and Mitigations
When it initially disclosed the flaws on Jan. 10, Ivanti said that it would release patches for various supported versions of Ivanti Connect Secure and Policy Secure on a staggered schedule, with the first wave starting Jan. 22 and the last version available on Feb. 19, with the staggered release focusing on the highest number of installs first and then continuing in declining order. However, this timeframe has since been delayed, and Ivanti released its first wave of patches Jan. 31, a week later than expected.
Ivanti customers with versions included in this first wave are encouraged to apply updates. On the public sector side, CISA has ordered via an emergency directive that federal agencies apply these updates to impacted products within 48 hours of their release. Agencies must also provide CISA with a report detailing a complete inventory of all instances of Ivanti Connect Security and Policy Secure products on their networks, and the subsequent actions taken and results.
Customers that are not part of this first rollout of patches can apply mitigations by importing mitigation.release.20240126.5.xml file via the download portal, said Ivanti in its update. At the same time, CISA in a Wednesday update warned that threat actors “developed workarounds to current mitigations and detection methods.”
“CISA is aware of instances in which sophisticated threat actors have subverted the external integrity checker tool (ICT), further minimizing traces of their intrusion,” said CISA on Wednesday. “If an organization has been running Ivanti Connect Secure (9.x and 22.x) and Policy Secure gateways over the last several weeks and/or continues to run these products, CISA recommends continuous threat hunting on any systems connected to—or recently connected to—the Ivanti device. Additionally, organizations should monitor authentication, account usage, and identity management services that could be exposed and isolate the system(s) from any enterprise resources as much as possible.”