The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday gave federal agencies a hard deadline to implement mitigations for two Ivanti vulnerabilities and warned that it is seeing “widespread exploitation” of the flaws.
CISA on Friday ordered federal agencies to download and import “mitigation.release.20240107.1.xml,” via Ivanti’s download portal, into any impacted products “as soon as possible and no later than 11:59 pm EST” on Monday, Jan. 22. CISA also directed agencies to download and run Ivanti’s External Integrity Checker tool, search for and report any Indicators of Compromise (IoCs) on their appliances and remove any compromised products from agency networks.
The emergency directive is “based on widespread exploitation of vulnerabilities by multiple threat actors, the prevalence of the affected products in the federal enterprise, the high potential for a compromise of agency information systems, the impact of a successful compromise, and the complexity of the proposed mitigations,” according to CISA.
The flaws in Ivanti’s Connect Secure and Policy Secure gateways - a command injection bug (CVE-2024-21887) and an authentication bypass flaw (CVE-2023-46805) - were first disclosed in January, but evidence of exploitation was discovered in December.
While. patches are not yet available as of Monday, Ivanti has said it will release the fixes in a staggered manner, starting this week (the week of Jan. 22) and ending the week of Feb. 19. As part of CISA’s emergency directive, it ordered federal agencies to apply these updates to impacted products within 48 hours of their release. Agencies must also provide CISA with a report detailing a complete inventory of all instances of Ivanti Connect Security and Policy Secure products on their networks, and subsequent actions taken and results.
Researchers have said they discovered evidence of APT groups exploiting the flaws to install malware and webshells. On Jan. 15, Volexity researchers said that it had detected more than 1,700 compromised Ivanti devices. The exploitation activity that’s been observed is also quickly evolving, and Ivanti said in a recent update for customers that if exploitation of the flaws has occurred, “we have observed the threat actor target the configuration and running cache of the system, which contains secrets important to the operation of the VPN.”
“If exploitation has occurred, we believe it is likely that the threat actor has taken an export of your running configurations with the private certs loaded on the gateway at time of exploit and left behind a Web shell file enabling backdoor future access," according to Ivanti. "We believe the purpose of this Web shell is to provide a backdoor to the gateway after the vulnerability is mitigated, for this reason we are recommending customers revoke and replace certificates to prevent further exploitation after mitigation.”
CISA has previously used emergency directives for a number of other high–profile security vulnerabilities, including the Log4j flaw, Microsoft Exchange flaws and a zero-day flaw in the Pulse Connect Secure VPN appliance. These directives light a fire under federal agencies to more quickly respond to various vulnerabilities, but also highlight the urgency of response for these flaws for private sector companies.
“Even as federal agencies take urgent action in response to this Directive, we know that these risks extend to every organization and sector using these products,” said CISA Director Jen Easterly in a statement. “We strongly urge all organizations to adopt the actions outlined in this Directive.”