Multiple vulnerabilities have impacted Ivanti VPN devices.
We look at the details of the four vulnerabilities in the Ivanti devices. The CISA has set 2 February 2024 as the resolution date. If the issues are not resolved by tomorrow, the CISA wants the Ivanti VPN devices to be disconnected.
Salient points
- CVE-2023-46805 and CVE-2024-21887 were reported on 10 January 2024. The security patch was made available on 31 January 2024 and 1 February 2024.
- Additional vulnerabilities CVE-2024-21888 and CVE-2024-21893 were detected in the Ivanti Connect Secure and Ivanti Policy Secure VPN devices.
- Security update for CVE-2024-21893 was released.
- CVE-2024-21893 is already being exploited and CISA has issued an emergency directive to patch the devices with security update or perform the mitigation steps.
- CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893 can be mitigated by importing mitigation.release.20240126.5.xml file via the download portal on the affected devices.
The attacks have been linked to suspected espionage threat actors, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive regarding these vulnerabilities.
This unprecedented action is on account of the zero-day nature of these vulnerabilities. Zero-day threats are those threats that are publicly disclosed and are being actively exploited by various threat actors.
Affected Ivanti VPN devices
The following VPN devices of Ivanti are affected:
- Ivanti Connect Secure (formerly Pulse Secure) – versions 9.x and 22.x
- Ivanti Policy Secure gateways – versions 9.x and 22.x
- CVE-2024-21893 affects Ivanti Neurons for ZTA in addition to the Ivanti Connect Secure and Ivanti Policy Gateways.
These vulnerabilities impact all supported versions of the products.
Vulnerabilities in Ivanti VPN devices
The two vulnerabilities discussed below were first detected on 10 January 2024. The following vulnerabilities affect the Ivanti Connect Secure devices:
CVE-2023-46805
- An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.
- CVSS score is 8.2.
- CISA’s due resolution date – 22 January 2024
CVE-2024-21887
- A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
- CVSS Score is 9.1
- CISA’s due resolution date – 22 January 2024
If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system.
Resolution
For the vulnerabilities CVE-2023-46805 and CVE-2024-21887, Ivanti released patches on 31 January 2024 and 1 February 2024.
- A patch addressing all known vulnerabilities is now available for Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1) and ZTA version 22.6R1.3 was released on 31 January 2024.
- A patch addressing all known vulnerabilities is now available for Ivanti Connect Secure version 22.5R2.2 and Ivanti Policy Secure 22.5R1.1. It was released on 1 February 2024.
These patches are available on the affected devices through the standard download portal.
Additional vulnerabilities
During an investigation into CVE-2023-46805 and CVE-2024-21887, Ivanti came across a couple of new vulnerabilities on 31 January 2023.
CVE-2024-21888
- A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator.
- CVSS score is 8.8
There is no evidence of any customers being impacted by CVE-2024-21888 as of now.
CVE-2024-21893
- A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.
- CVSS score is 8.2
- CISA’s due resolution date – 2 February 2024
A small number of customers who have been impacted by CVE-2024-21893 at this time.
Resolution
For CVE-2024-21888 and CVE-2024-21893, Ivanti has released a security patch for Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1 and 22.5R2.2), Ivanti Policy Secure version 22.5R1.1 and ZTA version 22.6R1.3.
For the other affected versions, Ivanti is expected to release security updates in a staggered approach.
Mitigation
For Ivanti devices that are unpatched or awaiting a software security patch, Ivanti has published a mitigation strategy to mitigate the four vulnerabilities:
- CVE-2023-46825
- CVE-2024-21887
- CVE-2024-21888
- CVE-2024-21893
CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893 can be mitigated by importing mitigation.release.20240126.5.xml file via the download portal.
- XML file is in the zipped format, please unzip and then import the XML file.
- Import of this XML into any one node of a Cluster is enough.
- There is no need to reboot or restart services under the Ivanti Secure Appliance when applying the XML file, but please note that the external ICT will reboot the system.
- Limitations:
- Ivanti did not test the mitigation on unsupported versions. Upgrade to a supported version before applying the mitigation.
- The workaround is not recommended for a license server. We recommend minimizing who can connect to a license server. For example, place a license server on a management VLAN, or have a firewall enforce source-IP restrictions.
Important links about Ivanti vulnerabilities
Other cyber security stories
Rajesh Dhawan is a technology professional who loves to write about Cyber-security events and stories, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.