Sources

https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
https://forums.ivanti.com/s/article/CVE-2024-22024-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US
https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
https://www.cisa.gov/news-events/news/cisa-us-and-international-partners-warn-ongoing-exploitation-multiple-ivanti-vulnerabilities

Risks

Ivanti has released a security update to address two actively exploited vulnerabilities, an authentication bypass vulnerability (CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887) in Ivanti Connect Secure and Ivanti Policy Secure Gateways.

As part of the ongoing investigation, two additional vulnerabilities (CVE-2024-21888 and CVE-2024-21893) were identified in Ivanti Connect Secure Ivanti Policy Secure, and Ivanti Neurons for ZTA and were addressed in the same patch.

Initially, the exploitation of CVE-2024-21893 appeared to be targeted.

CVE-2024-22024:  XML eXternal Entity injection (XXE)
An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure and ZTA gateways may allow an unauthenticated attacker to access certain restricted resources.

All mentioned vulnerabilities pose a significant threat to the Confidentiality, Integrity, and Availability (CIA) triad of information security.

UPDATE 01/03/2024: In a Joint Cybersecurity Advisory, CISA and other partners warn about the active exploitation of CVE-2023-46805, CVE-2024-21887 and CVE-2024-21893 in a chain of exploits to bypass authentication, craft malicious requests and execute arbitrary commands with elevated privileges.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Ivanti has released a patch for Ivanti Connect Secure and ZTA. Customers can access the patch via the standard download portal, login required.

As a best practice, it is recommended that customers factory reset their appliance before applying the patch to prevent the threat actor from gaining upgrade persistence in your environment.

The remaining patches for supported versions will still be released on a staggered schedule.

Mitigate

CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, CVE-2024-21893, and CVE-2024-22024 can be mitigated by importing the mitigation file via the download portal.

Please note: If a customer has applied the patch, they do not need to apply the mitigation. If mitigation is applied before the patch, it can be removed once the patch has been applied.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References