Ivanti is warning of two actively exploited vulnerabilities in its Connect Secure and Policy Secure gateways. Currently, the company said it is aware of “less than 10 customers impacted by the vulnerabilities.”
Connect Secure and Policy Secure contain a command injection bug (CVE-2024-21887) and an authentication bypass flaw (CVE-2023-46805). If these vulnerabilities are chained together, Ivanti said threat actors can craft malicious requests and execute arbitrary commands on the system, all without authentication. Patches are not yet available, and will be released in a staggered manner starting Jan. 22. Ivanti and Volexity researchers, who first detected suspicious activity related to the exploits on the networks of one of their customers in mid-December, are urging businesses to apply a mitigation by importing the mitigation.release.20240107.1.xml file via Ivanti's download portal.
“It is critically important that organizations immediately apply the available mitigation from Ivanti and the patch that will follow,” said Matthew Meltzer, Sean Koessel and Steven Adair, with Volexity, in a Wednesday analysis of the exploits. “However, applying mitigations and patches will not resolve past compromise. It is important that organizations running ICS [Ivanti Connect Secure] VPN appliances review their logs, network telemetry, and Integrity Checker Tool results.”
The flaws impact all supported versions of the Ivanti Connect Secure VPN appliance (versions 9.x and 22.x) and the Ivanti Secure network access control product.
In the incident impacting the Volexity customer, which originated as early as Dec. 3, researchers said that they observed the threat actor “modifying legitimate ICS components and making changes to the system to evade the ICS Integrity Checker Tool.” In response, Ivanti is recommending customers run an external integrity checker tool that has “new functionality” that will be incorporated into the existing, internal integrity checker tool (ICT) at some point.
“The ICT is a snapshot of the current state of the appliance and cannot necessarily detect threat actor activity if they have returned the appliance to a clean state,” said Ivanti. “The ICT does not scan for malware or other Indicators of Compromise. We recommend as a best practice for customers to always run the ICT in conjunction with continuous monitoring.”
“It is critically important that organizations immediately apply the available mitigation from Ivanti and the patch that will follow."
Volexity researchers said that they also observed attackers stealing configuration data, making modifications to various existing files and backdooring the legitimate compcheck.cgi file on the Ivanti Connect Secure VPN.
Ivanti said that it will release patches for various supported versions of Ivanti Connect Secure and Policy Secure on a staggered schedule, with the first wave starting Jan. 22 and the last version available on Feb. 19. This staggered release will focus on the highest number of installs first and then continue in declining order.
“Ivanti always prioritizes the security and quality of each release,” according to Ivanti’s security update. “To effectively achieve this in this instance, it requires a staggered release schedule. Our focus is on getting the patch out to customers as quickly as possible.”
In 2021, Ivanti Connect Secure (formerly called Pulse Connect Secure) was at the center of attacks impacting government agencies in the United States and Europe, as well as several dozen other organizations, which stemmed from several flaws in the VPN appliance (CVE-2019-11510, CVE-2020-8260, CVE-2020-8243 and CVE-2021-22893). Volexity said that enterprise organizations should review their strategies for monitoring activity from devices like Ivanti VPNs so that they can more quickly respond if a compromise occurs.
“As organizations continue to improve and harden their defense, attackers are continually looking for ways to bypass them,” said Volexity researchers. “Internet-accessible systems, especially critical devices like VPN appliances and firewalls, have once again become a favorite target of attackers. These systems often sit on critical parts of the network, cannot run traditional security software, and typically sit at the perfect place for an attacker to operate.”