WARNING: 2 ACTIVELY EXPLOITED ZERO-DAY VULNERABILITIES AFFECTING IVANTI CONNECT SECURE AND IVANTI POLICY SECURE – ACT NOW
CVE-2023-46805: CVSS 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)
CVE-2024-21887: CVSS 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
Sources
https://www.ivanti.com/blog/security-update-for-ivanti-connect-secure-and-ivanti-policy-secure-gateways
https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46805
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21887
Risques
Ivanti has revealed the exploitation of two zero-day vulnerabilities in their Connect Secure and Policy Secure products. The active exploitation of these vulnerabilities allows unauthenticated remote threat actors to inject arbitrary code. This poses a significant threat to the Confidentiality, Integrity, and Availability (CIA) triad of information security.
As of now, the vendor has not released a patch for the vulnerabilities. The initial patches are expected to be released during the week of January 22, 2024.
Ivanti indicates CVE-2023-46805 and CVE-2024-21887 can be mitigated by importing mitigation.release.20240107.1.xml file via the download portal. Please note this mitigation impacts or degrades several features.
Description
Ivanti Connect Secure, formerly recognized as Pulse Connect Secure or simply Pulse Secure, functions as a VPN SSL solution. On the other hand, Ivanti Policy Secure serves as a NAC solution.
CVE-2023-46805 & CVE-2024-21887 affect all supported versions, and it is probable that End-of-Life (EOL) versions are also susceptible.
CVE-2023-46805 is an authentication bypass vulnerability in the web component of Ivanti Connect Secure and Ivanti Policy Secure which allows a remote attacker to access restricted resources by bypassing control checks.
CVE-2024-21887 is a command injection vulnerability in web components of Ivanti Connect Secure and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. CVE-2024-21887 can be exploited over the internet.
Combining both vulnerabilities results in an exploit chain which allows an unauthenticated remote attacker to inject arbitrary commands on these appliances.
Ivanti indicates this exploit chain is exploited in the wild. This is confirmed by public reports. Follow-up activity includes further lateral movement to the internal network, credential harvesting, …
Actions recommandées
The Centre for Cybersecurity Belgium strongly recommends users and system administrators to take the following actions to mitigate the impact of these vulnerabilities in the most efficient way.
Patch
At the time of publication, the vendor did not yet provide a patch. First patches will be made available in the week of 22 January 2024. The Ivanti KB article will be updated once more information is available. In general: keep an eye out for future security bulletins and patch after thorough testing.
Mitigate
Ivanti indicates CVE-2023-46805 and CVE-2024-21887 can be mitigated by importing mitigation.release.20240107.1.xml file via the download portal. Please note this mitigation impacts or degrades several features. Please refer to the KB article referenced above for more information.
Monitor/Detect
The CCB recommends organizations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion. Please verify outbound connections from these devices. Public reports indicate traffic to internet (outbound tunnels) and lateral movement (internal network/DMZ/management network/...).
In some documented cases the threat actor wiped the device logs and disabled logging. Please ensure logging, both local and remote, are still enabled.
Ivanti has seen evidence of threat actors attempting to manipulate Ivanti’s internal integrity checker (ICT). Out of an abundance of caution, Ivanti recommends that all customers run the external ICT. Ivanti regularly provides updates to the external and internal ICT, so ensure you are running the latest version of each.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise. When applying patches to systems that have been vulnerable to an authentication bypass, a proactive threat assessment should be performed to verify the device was not accessed from an unknown IP and/or location. First known exploitation at the time of publication dates from 2023-12-03.
Please consult the additional references for more indicators of compromise (IoCs).
In case of (a suspected) compromise, please consider enforcing a password change since, in some cases, the threat actor performed credential harvesting on the VPN SSL appliances. In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident