During Ivanti’s announcement of their fixes for the recent critical zero-day vulnerabilities, the software vendor alerts of two new high-severity flaws in its Connect Secure and Policy Secure products. One of which is said to be under targeted exploitation in the wild. Learn more about these vulnerabilities in this Cybersecurity Threat Advisory and follow the recommendations provided to protect your organization.
What is the threat?
CVE-2024-21888 is a high severity vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) which allows user to elevate privileges to an administrator level. No exploitation of this vulnerability has been observed.
CVE-2024-21893 is a server-side request forgery vulnerability in the gateways’ SAML component. It allows threat actors to bypass authentication and access restricted resources on vulnerable devices. This high severity vulnerability is actively being exploited in the wild. Ivanti disclosed that they are aware of a limited number of customers being impacted by exploitation of this vulnerability.
Why is it noteworthy?
These back-to-back zero-day vulnerabilities provide threat actors access to gaining persistence in a customer’s environment. Advanced threat actors are able to destabilize the external integrity checker tool (ICT) further minimizing traces of the intrusion. These vulnerabilities when exploited, may lead to ransomware attack, loss of vast amounts of data or even advanced persistent threats to the operating systems.
What is the exposure or risk?
The risk of these vulnerabilities is extensive as multiple threat actors have been actively targeting and exploiting affected devices to plant web shells and/or steal credentials that enable further compromise of enterprise networks. The Cybersecurity and Infrastructure Security Agency (CISA) states that threat actors have identified workarounds to the original mitigations supplied by Ivanti in their first advisory, allowing them to move laterally and escalate privileges without detection. Additionally, the CISA has determined these conditions pose a risk to Federal Civilian Executive Branch (FCEB) agencies and require emergency action.
What are the recommendations?
Barracuda MSP recommends the following actions to limit the impact of these zero-day vulnerabilities:
- Ivanti has released fixes for Connect Secure versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1, and ZTA version 22.6R1.3. It is highly recommended to upgrade to the latest version of Ivanti Connect Secure or Ivanti Policy Secure. This will ensure you have the latest security and stability fixes. As a best practice, customers should factory reset their appliance before applying the patch to prevent the threat actor from gaining upgrade persistence in your environment. As temporary workarounds to address CVE-2024-21888 and CVE-2024-21893, users are recommended to import the “mitigation.release.20240126.5.xml” file. (Please note: If a customer has applied the patch, they do not need to apply the mitigation. If mitigation is applied before the patch, it can be removed once the patch has been applied. The mitigation removal XML is also found in the standard download portal.)
- It is recommended not to push configurations to appliances with the XML in place. Do not resume pushing configurations until the appliance is patched.
- Since there are evidences that the threat actors are attempting to manipulate the ICT, it is recommended to run external ICT.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2024/01/alert-ivanti-discloses-2-new-zero-day.html
- https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
- https://www.cisa.gov/news-events/alerts/2024/01/30/updated-new-software-updates-and-mitigations-defend-against-exploitation-ivanti-connect-secure-and
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.