Summary
There is a vulnerability affecting Ivanti Connect Secure and Ivanti Policy Secure. It is categorized as CVE-2024-21893 with a CVSS score of 8.2. According to Ivanti, there is a server-side request forgery vulnerability present in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, as well as Ivanti Neurons for ZTA. This can allow an attacker to obtain access to restricted resources without authentication. Active exploitation is occurring with an increase in exploitation expected by Ivanti starting on February 1, 2024.
Impact Assessment
CVE-2024-21893 is a high-risk vulnerability due to the attacker accessing restricted resources without authentication and evidence of active exploitation.
Affected Software
- Ivanti Connect Secure (9.x, 22.x)
- Ivanti Policy Secure (9.x, 22.x)
- Ivanti Neurons for ZTA (Prior to 22.6R1.3.)
Remediation
There is now a patch available for Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1) and ZTA version 22.6R1.3. This will patch this zero-day vulnerability.
If it is not able to be patched, it can be mitigated by importing mitigation.release.20240126.5.xml file via the download portal.
Run the external integrity checker tool (ICT).
This article from Ivanti will be updated with more information as the investigation continues. When applying updates for the affected software, follow this guide from Ivanti. It will outline a step-by-step procedure for updating software.
Business Implications
According to Ivanti, there is a high loss of confidentiality due to exploitation which allows an attacker to access restricted resources without authentication. This can cause leakage of confidential information and the ability to circumvent a VPN’s innate protections.
Access Point Technology Recommends
- Update: Updating the affected applications to the latest versions will patch this vulnerability.
- Mitigate: In cases where you cannot conduct a patch, import mitigation.release.20240126.5.xml file via the download portal.
- Consider other vendors: Due to Ivanti having a history of exploitable vulnerabilities, recognize whether your company is able to handle these risks and is in a position to switch. It is possible to switch vendors to help mitigate risk regarding this type of VPN service.
Associated Bulletins
https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation
https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US