Zero-Day Vulnerability Exploited in Ivanti Software

Summary

There is a vulnerability affecting Ivanti Connect Secure and Ivanti Policy Secure. It is categorized as CVE-2024-21893 with a CVSS score of 8.2. According to Ivanti, there is a server-side request forgery vulnerability present in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, as well as Ivanti Neurons for ZTA. This can allow an attacker to obtain access to restricted resources without authentication. Active exploitation is occurring with an increase in exploitation expected by Ivanti starting on February 1, 2024.

Impact Assessment

CVE-2024-21893 is a high-risk vulnerability due to the attacker accessing restricted resources without authentication and evidence of active exploitation.

Affected Software

1. Ivanti Connect Secure (9.x, 22.x)
2. Ivanti Policy Secure (9.x, 22.x)
3. Ivanti Neurons for ZTA (Prior to 22.6R1.3.)

Remediation

There is now a patch available for Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1) and ZTA version 22.6R1.3. This will patch this zero-day vulnerability.

If it is not able to be patched, it can be mitigated by importing mitigation.release.20240126.5.xml file via the download portal.

Run the external integrity checker tool (ICT).

This article from Ivanti will be updated with more information as the investigation continues. When applying updates for the affected software, follow this guide from Ivanti. It will outline a step-by-step procedure for updating software.

Business Implications

According to Ivanti, there is a high loss of confidentiality due to exploitation which allows an attacker to access restricted resources without authentication. This can cause leakage of confidential information and the ability to circumvent a VPN’s innate protections.

Access Point Technology Recommends

1. Update: Updating the affected applications to the latest versions will patch this vulnerability.
2. Mitigate: In cases where you cannot conduct a patch, import mitigation.release.20240126.5.xml file via the download portal.
3. Consider other vendors: Due to Ivanti having a history of exploitable vulnerabilities, recognize whether your company is able to handle these risks and is in a position to switch. It is possible to switch vendors to help mitigate risk regarding this type of VPN service.

Associated Bulletins

https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation

https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US

‍