Ivanti
,

Act now! Ivanti vulnerabilities are being actively exploited

Several international security agencies are echoing a warning by Ivanti about actively exploited vulnerabilities in its VPN solution.

Software vendor Ivanti has warned customers about two actively exploited vulnerabilities in all supported versions of Ivanti Connect Secure and Ivanti Policy Secure Gateways. Successful exploitation would give an attacker the ability to run arbitrary code on Ivanti’s Virtual Private Network (VPN) system.

The warning is echoed by several international security agencies like CISA and the German BSI. Both are flagging active exploitation of these two chained vulnerabilities. Ivanti Connect Secure is a widely used VPN solution that allows users to connect to their organization’s network.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs mentioned in these reports are:

CVE-2023-46805 (CVSS score 8.2 out of 10): an authentication bypass vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure, which allows a remote attacker to access restricted resources by bypassing control checks.

CVE-2024-21887 (CVSS score 9.1 out of 10): A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Ivanti Neurons for Secure Access is not vulnerable to these CVEs. However, the gateways being managed are independently vulnerable to them.

After attackers have used the authentication bypass to authenticate as an administrator they are able to install webshells on the VPN system to gain persistence, allowing them to execute commands on the compromised devices.

Active exploitation has been seen as far back as December 3, 2023. These attackers erased log files and turned logging off on the compromised system. Besides that, they had stolen configuration files, altered existing files, dropped remote files, and established a reverse tunnel allowing them unrestricted access.

One of the dropped files contained a JavaScript that stole the credentials of users that logged in, which could also be used for lateral movement.

Mitigation

Patches will be released on a schedule based on versions, with the first coming out in the week of January 22. The last version will come out the week of February 19.

“We are releasing patches based upon telemetry information available to us from current installed solutions that notify us of the version number they are running. We are releasing patches for the highest number of installs first and then continuing in declining order.”

Until then, customers are under advice to apply a workaround and monitor their network traffic for suspicious activity and analyze the logs on their Connect Secure device.

The workaround requires importing a mitigation.release.20240107.1.xml file which can be obtained via the download portal (login required). The XML file is in the zipped format, so you’ll need to unzip and then import the XML file.

  • Navigate to Maintenance > Import/Export > Import XML
  • Use the Browse button to point to the unzipped XML file
  • Click the Import Button

Import of this XML into any one node of a Cluster is enough. A FAQ and more detailed instructions can be found in the Ivanti advisory article.

It is important to note that applying the workaround or a patch, when they are made available, is not enough to undo the effects of an attack. If you see signs that your instances have been compromised you should investigate or hire a specialized investigator to find out what the attackers may have obtained and what needs to be done to regain the required safety level.

CISA has added CVE-2023-46805 and CVE-2024-21887 to its Known Exploited Vulnerabilities Catalog, which requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by January 21, 2024 to protect FCEB networks against active threats.