Two vulnerabilities have been identified in Ivanti Connect Secure and Ivanti Policy Secure Gateways, CVE-2023-46805 and CVE-2024-21887 respectively, which when exploited together allow for unauthenticated remote code execution. These CVEs affect all supported versions of the products. Continue reading this Cybersecurity Threat Advisory to learn more about the impact of these vulnerabilities and recommendations to prevent potential exploitation.
What is the threat?
CVE-2023-46805 is an authentication bypass vulnerability which allows unauthorized users to gain access without proper credentials. This poses a significant risk as it compromises the integrity and confidentiality of sensitive data. Attackers can exploit this vulnerability by exploiting weaknesses in the authentication process, thereby bypassing any security measures put in place.
CVE-2024-21887 is a command injection vulnerability that allows attackers to execute arbitrary commands on the affected system. This can lead to complete control over the gateway, enabling attackers to manipulate or extract sensitive information from connected networks.
Why is it noteworthy?
When CVE-2024-21887 is implemented in conjunction with CVE-2023-46805, the authentication requirement is effectively evaded. By combining these two vulnerabilities, bad actors can gain control of an environment and perform a series of severe events, including unauthorized access to sensitive information or systems, existing files on the system being secretly altered, remote files being secretly downloaded, and execute unnoticed reverse sessions established by Ivanti Connect Secure (ICS) VPN appliance, potentially leading to complete compromise, data breaches, or disruption of services.
What is the exposure or risk?
The CVEs provide threat actors with an open door to design malicious requests and run commands on vulnerable systems, dramatically increasing the risk and possible impact of these vulnerabilities. Depending on the deployment scale of Ivanti Connect Secure and Ivanti Policy Secure Gateways, the impact of these vulnerabilities could extend across various systems and interconnected services, amplifying the overall risk.
The combination of these vulnerabilities increases the overall risk of malicious activities. Attackers can exploit them to carry out further attacks, such as privilege escalation or lateral movement within the network. Command injection vulnerabilities may be exploited to disrupt services or cause system instability. This poses a risk of downtime, affecting business operations and services relying on Ivanti Connect Secure and Ivanti Policy Secure Gateways.
Given these factors, the noteworthiness of these vulnerabilities underscores the urgency for organizations to apply the provided security patches and take necessary measures to secure their Ivanti Connect Secure and Ivanti Policy Secure Gateways against potential exploitation.
What are the recommendations?
Barracuda MSP recommends the following to address and mitigate the risks associated with CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways:
- Apply the recommended mitigation solution: Ivanti failed to evaluate mitigation measures on outdated versions of the software. Before using the mitigation, upgrade to a supported version. They are now providing mitigation while the patch is being developed.
- Regularly Monitor for Suspicious Activities: Implement continuous monitoring practices to detect any unusual or unauthorized activities on the network. Barracuda XDR recommends utilizing security information and event management (SIEM) solutions to identify potential security incidents.
- Follow Vendor Guidance: Adhere to any additional security recommendations or guidance provided by Ivanti. Stay informed about future security updates and patches to address emerging threats.
- Implement Network Segmentation: Employ network segmentation to isolate critical systems and sensitive data. This helps contain and prevent the lateral movement of attackers within the network.
By following these recommendations, organizations can enhance the security posture of Ivanti Connect Secure and Ivanti Policy Secure Gateways, reducing the likelihood and impact of potential security incidents.
For more in-depth information about the recommendations, please visit the following links:
- KB CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.