Two chainable zero-day vulnerabilities face Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS): CVE-2023-46805 and CVE-2024-21887. All supported versions of the Ivanti Connect Secure and Policy Secure Gateways are currently at risk, and Ivanti has confirmed that customers have experienced active exploitation. ICS was previously known as Pulse Connect Secure.
ICS offers a virtual private network (VPN) gateway, while IPS provides network access control. As both products permit authorized users to access sensitive data, any vulnerabilities that can be exploited to bypass those controls is a major security risk.
What are CVE-2023-46805 and CVE-2024-21887?
CVE-2023-46805 is an authentication bypass vulnerability that allows an attacker to circumvent authentication checks. CVE-2024-21887 is a command injection vulnerability that permits an attacker to act as an authenticated administrator and achieve remote code execution (RCE) via specially crafted arbitrary commands. By combining these two vulnerabilities, attackers can achieve unauthenticated code execution, leading to data exfiltration (including user credentials and configuration data), configuration changes, file modification, webshell deployment, and more.
Ivanti is currently working with Volexity and Mandiant on the security response, as both organizations have observed active exploitation. In their incident response following cyber attacks, Volexity noted that the attacker used both vulnerabilities to attain full access to the network through lateral movement and credential harvesting. Mandiant has identified five malware families deployed by the threat actor.
Both CVEs are currently undergoing analysis for the National Vulnerability Database and does not yet highlight which common weakness enumerations (CWEs) are present in the vulnerability, though HackerOne provided initial Common Vulnerability Scoring System (CVSS) scores for each CVE upon numbering. CVE-2024-21887, the code execution vulnerability, has a CVSS score of 9.1, a critical severity, with CVE-2023-46805 scored with an 8.2 high severity.
The Cybersecurity and Infrastructure Security Agency (CISA) added both vulnerabilities to the Known Exploited Vulnerabilities catalog in early January 2024. Federal agency networks must take action by the end of January.
Who is impacted by Ivanti's zero-day vulnerabilities?
Ivanti stated that all supported versions are impacted in both their security advisory and their support article. Any iteration of versions 9 and 22 include this vulnerability. Ivanti's support article indicates that later versions and the Ivanti ZTA controller will receive patches through late January and mid February.
Some versions have been deprecated due to end-of-life or end-of-engineering support. You can review Ivanti's EOL policy and the Connect-Secure release versioning to determine whether your use of the Connect Secure tool will not receive security updates.
This duo of zero-days is not the only risk on Ivanti's system, as the company faced another set of critical vulnerabilities chained to exploit the Ivanti Endpoint Manager Mobile in late 2023. Ivanti Connect Secure has previously been targeted as well, with vulnerabilities in 2019, 2020, and 2021.
How UpGuard can help
UpGuard maintains a vulnerability library that includes thousands of known cybersecurity vulnerabilities. We are currently monitoring the situation for more information as we add the Ivanti Connect Secure zero-day to UpGuard's vulnerability library.
If you or a vendor are using Ivanti Connect Secure or Policy Secure, you should determine whether it has been exploited and prepare for your next steps around mitigation and incident response. You can send a remediation request within UpGuard, which will enable the technology owner to assert the current status of the tool.
Take action to secure ICS and IPS
While there is not yet a full security update to remedy these vulnerabilities, Ivanti has released a mitigation patch that can be retrieved from the download portal ([.rt-script]mitigation.release.20240107.1.xml[.rt-script]). Per Ivanti's recommendations, ensure that you upgrade to the latest version before applying the mitigation patch. This patch is only a workaround and does not repair systems that have already been compromised.
Assess whether your system has been compromised:
- Examine network traffic for any unexpected outbound traffic from the VPN.
- Evaluate unexpected inbound network traffic, including any anomalous scanning or SSH attempts.
- Review your VPN device logs for any unauthenticated requests. If logs have been wiped or otherwise disabled without authorization, that indicates likely compromise.
- Investigate any file system inconsistencies identified by the Integrity Checker Tool.
- Compare any suspicious files against the indicators of compromise observed in Volexity's blog and Mandiant's threat intelligence.
You can also run Ivanti's Integrity Checker Tool (ICT) to assess your tool's file system integrity and identify modified files. However, Ivanti recommends using the external version of the tool as the internal version may be manipulated by attackers. Because this tool will reboot the system, you should conduct forensic analysis for any IOCs prior to running the integrity check.
