CISA on Wednesday told federal agencies to temporarily disconnect all instances of Ivanti Connect Secure and Policy Secure appliances from agency networks within 48 hours, as Ivanti continues to grapple with two widely exploited vulnerabilities in these products.
The new guidance comes less than two weeks after CISA issued an emergency directive giving federal agencies a hard deadline to implement mitigations for the two flaws (CVE-2024-21887 and CVE-2023-46805), and ordering federal agencies to apply updates to impacted products within 48 hours of their release.
Since this directive, however, Ivanti announced that its patch rollouts for the vulnerabilities would be delayed (with the first wave of patches being rolled out on Wednesday) and that it had also discovered a third actively exploited vulnerability in the products (CVE-2024-21893). At the same time, issues have come up around the mitigation strategies proposed by Ivanti, with some attackers leveraging malware to bypass mitigations in “highly targeted, limited” attacks, according to Mandiant.
Under CISA's latest update, federal agencies must disconnect the products as soon “as possible and no later than 11:59PM on Friday February 2, 2024." After this deadline, products must receive a factory reset and then be rebuilt and upgraded.
“This Supplemental Direction remains in effect until CISA determines that all agencies operating affected software have performed all required actions from this Direction or the Direction is terminated through other appropriate action,” according to CISA’s Wednesday guidance.
CISA also told agencies to continue threat hunting efforts on any systems connected to impacted Ivanti devices, to monitor potentially exposed authentication or identity management services, to isolate systems and to continue to audit privileged access accounts.
In order to bring products back into service, federal agencies must first complete a factory reset of their impacted devices, rebuild the devices following instructions provided by Ivanti, and upgrade to versions 9.1R18.3, 22.4R2.2, 22.5R1.1, 9.1R14.4, or 9.1R17.2, for which patches are available, said CISA.
Finally, CISA said “agencies running the affected products must assume domain accounts associated with the affected products have been compromised” and said that by March 1, these agencies should reset “passwords twice for on premise accounts, revoke Kerberos tickets, and then revoke tokens for cloud accounts in hybrid deployments” and “for cloud joined/registered devices, disable devices in the cloud to revoke the device tokens.”
CISA has previously issued supplemental guidance for its emergency directives; for instance, it issued one to mandate agencies to follow additional forensic triage and server hardening as part of their remediation efforts against the ProxyLogon flaws in 2022. But the nature of Wednesday's supplemental guidance - disconnecting the appliances and performing factory resets - highlights the urgency of the situation as threat actors continue to target vulnerable Ivanti appliances.
There have also been several difficulties in the response process for these flaws. Patches were delayed, giving threat actors a potential leg up in being able to target vulnerable devices, and there were some instances of attackers then modifying the built-in Integrity Checking Tool in order to evade detection, as well as using malware to bypass mitigations. Part of the challenge in responding to exploitation efforts has stemmed from a limited ability by security teams to dig in quickly, find indications of malware and verify that they’re under attack, said Sean Koessel, co-founder at Volexity, which initially identified and reported the issue.
“Add to that that attackers could be doing something more sophisticated, like a rootkit, and it could be harder to detect,” said Koessel. “That’s where you’re seeing these recommendations of ‘pull these things down right away and go through the complete factory reset,’ so that you know, with as much certainty as you can, that you’re in a known good state. You’re not in a state of compromise, you’ve done everything that can be done to everybody’s knowledge to put that appliance back in a state where it’s no longer vulnerable or compromised.”