CyberWatch

Zero-Day Vulnerability Exploited in Ivanti Software

By

By

Access Point Consulting

Summary

There is a vulnerability affecting Ivanti Connect Secure and Ivanti Policy Secure. It is categorized as CVE-2024-21893 with a CVSS score of 8.2. According to Ivanti, there is a server-side request forgery vulnerability present in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, as well as Ivanti Neurons for ZTA. This can allow an attacker to obtain access to restricted resources without authentication. Active exploitation is occurring with an increase in exploitation expected by Ivanti starting on February 1, 2024.

Impact Assessment

CVE-2024-21893 is a high-risk vulnerability due to the attacker accessing restricted resources without authentication and evidence of active exploitation.

Affected Software

  1. Ivanti Connect Secure (9.x, 22.x)
  2. Ivanti Policy Secure (9.x, 22.x)
  3. Ivanti Neurons for ZTA (Prior to 22.6R1.3.)

Remediation

There is now a patch available for Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1) and ZTA version 22.6R1.3. This will patch this zero-day vulnerability.

If it is not able to be patched, it can be mitigated by importing mitigation.release.20240126.5.xml file via the download portal.

Run the external integrity checker tool (ICT).

This article from Ivanti will be updated with more information as the investigation continues. When applying updates for the affected software, follow this guide from Ivanti. It will outline a step-by-step procedure for updating software.

Business Implications

According to Ivanti, there is a high loss of confidentiality due to exploitation which allows an attacker to access restricted resources without authentication. This can cause leakage of confidential information and the ability to circumvent a VPN’s innate protections.

Access Point Technology Recommends

  1. Update: Updating the affected applications to the latest versions will patch this vulnerability.
  2. Mitigate: In cases where you cannot conduct a patch, import mitigation.release.20240126.5.xml file via the download portal.
  3. Consider other vendors: Due to Ivanti having a history of exploitable vulnerabilities, recognize whether your company is able to handle these risks and is in a position to switch. It is possible to switch vendors to help mitigate risk regarding this type of VPN service.

Associated Bulletins

https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation

https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US

Resources

Trending Articles & Security Reports

Resources

CyberWatch

November 22, 2024

Patch Updates, New Malware Threats, and the Ongoing Supply Chain Battle

On this episode of the CyberWatch podcast, there are updates to software across the application and OS spectrum. New malicious campaigns are threatening victims of all sizes, and researchers have performed dissections on malware to give defenders new clues about just what it is they're fighting. All this today, in CyberWatch.

Find out more
October 25, 2024

Ransomware, Supply Chain Attacks, and Nation-State Threats

CyberWatch, by Access Point Consulting, is your weekly source for emerging cybersecurity news, regulatory updates, and threat intelligence. Backed by experts in security consulting, regulatory compliance, and security operations, Access Point enables you to manage cyber risks, respond to incidents, and drive innovation in your company. Read here or on our website; listen on Spotify or Apple Podcasts; or watch on YouTube.website; listen on Spotify or Apple Podcasts; or watch on YouTube. .

Find out more
October 7, 2024

VINs and Losses: How Hackers Take Kias for a Ride

In the age of smart cars and connected devices, convenience often comes with hidden risks. A recently discovered critical vulnerability in Kia vehicles serves as a stark reminder of how our increasingly digital world is making cars new targets for cyberattacks. This vulnerability allowed hackers to remotely control various vehicle functions—using nothing more than a car's license plate number. It highlights the growing threat of cyberattacks on connected cars and the importance of cybersecurity in the automotive industry.

Find out more