Ivanti's Zero-Day Vulnerabilities (CVE-2024-21887 and CVE-2023-46805)
Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS), formerly known as Pulse Connect Secure, are virtual private network (VPN) tools that businesses rely on to enable secure remote access. However, two newly disclosed zero-day vulnerabilities now pose a dangerous threat that could completely compromise these critical gateways.
The vulnerabilities, tracked as CVE-2024-21887 and CVE-2023-46805, can be chained together to allow unauthenticated remote code execution. This means attackers can remotely take over VPN devices, view sensitive data, deploy malware, and pivot deeper into corporate networks without any need to bypass authentication mechanisms.
Ivanti has confirmed that both vulnerabilities affect all supported versions of Connect Secure and Policy Secure. With hundreds of companies using these products, the potential scale of damage is enormous. Mandiant and Volexity have already observed active exploitation in client environments. As patches roll out over the next month, businesses must take action now to detect and respond to potential compromise of these mission-critical tools.
Understanding the Vulnerabilities: Code Execution and Authentication Bypass
CVE-2024-21887 stems from a command injection vulnerability in the administrative web interface for Connect Secure and Policy Secure. This interface is used by authorized administrators to manage the configuration and apply updates.
By inputting malicious code into parameters that get passed to the underlying operating system, an attacker can inject arbitrary commands. With carefully crafted input, the attacker can leverage OS capabilities to achieve remote code execution.
This provides an initial foothold, but the attacker still needs to bypass authentication to access the administrative console. That's where CVE-2023-46805 comes in. This vulnerability permits an unauthenticated attacker to make requests that should require authentication.
Chaining these two together allows a remote attacker to automatically execute commands as an admin without needing any credentials. The attacker has full control over the gateway at that point.
Active Exploitation in the Wild
Ivanti coordinated disclosure with Mandiant and Volexity, both of whom have observed these vulnerabilities being exploited in client environments.
Volexity encountered threat actors using both CVEs to compromise multiple VPN servers, then pivot laterally to harvest credentials, establish persistent access, and exfiltrate data.
Mandiant has identified five different families of malware deployed via these vulnerabilities, highlighting that multiple sophisticated attackers are leveraging these zero days. The active targeting of Connect Secure and Policy Secure devices also indicates that threat actors likely identified the vulnerabilities independently before public disclosure.
Wide Reach Across Industries
Ivanti Connect Secure and Policy Secure are used by organizations across all sectors to enable secure remote work capabilities. The install base encompasses government agencies, critical infrastructure, Fortune 500 companies, healthcare networks, and more.
Ivanti itself cites over 29,000 customers, with millions of endpoints protected by its suite of products. While not all customers use Connect Secure or Policy Secure, they still represent two of Ivanti’s flagship offerings.
Previous research indicates Connect Secure specifically has significant market share as a VPN solution. These products power remote access and BYOD for a considerable portion of enterprise networks.
History of Critical Vulnerabilities in Ivanti
While alarming, this latest incident is not unprecedented for Ivanti. The company has dealt with other high severity vulnerabilities being exploited in the wild:
- In 2019, critical vulnerabilities in Connect Secure RCE led to active attacks and emergency patching.
- In 2020, a critical vulnerability (CVE-2020-8193) enabled unauthenticated file reads, again requiring emergency patching.
- In 2021, Ivanti patched a critical vulnerability (CVE-2021-22893) that allowed credential theft and RCE.
Clearly, Ivanti Connect Secure and Policy Secure have been on the radar of researchers and attackers alike. These latest zero days add to an unfortunate history of critical security gaps being discovered and maliciously exploited.
Patching and Mitigation
Ivanti has released patches for some product versions and a mitigation for currently unpatched versions:
- For Supported Versions: patches are being rolled out on Ivanti’s patch schedule between January and February 2024.
- For Unsupported Versions: a mitigation patch is available, though it does not fix compromised systems.
The mitigation disables access to the vulnerable administrative console to reduce attack surface. However, it does not resolve the underlying vulnerability, nor does it address instances where a device is already compromised.
Ivanti recommends upgrading to a supported version first before implementing the mitigation. The patch and mitigation do not contain any vulnerability details or remediation information.
For compromised systems, Ivanti has published an integrity checker tool. This can help identify modified files or assets that require investigation. Given the nature of the vulnerabilities though, internal integrity tools may also be compromised. External scanning of network traffic and behavior is advised.
Assessing Compromise and Next Steps
For any organization running Ivanti Connect Secure or Policy Secure, immediate action is required to determine if exploitation has already occurred:
- Inspect VPN traffic and logs for anomalies that could indicate compromise
- Examine inbound and outbound network flows for unexpected scanning activity or connections
- Check for unauthorized modifications to the gateway filesystem and configuration
- Compare files and binaries against Mandiant’s indicators of compromise
- Consider isolating VPN devices to contain impact if exploitation is detected
If compromise is uncovered, perform a full investigation and initiate incident response procedures. Compromised credentials must be reset, additional persistence mechanisms have to be hunted down, and unauthorized changes remediated. Forensics should examine what data the attacker accessed, additional footholds established, and whether further lateral movement occurred.
For uncompromised devices, apply patches once available and implement compensating controls. Limit VPN usage to essential personnel and require additional multi-factor authentication. Reconsider remote access architectures and ensure robust logging and monitoring.
ResilientX Cyber Exposure Management
ResilientX Security customers can leverage the Cyber Exposure Management platform to rapidly identify any externally facing Ivanti Connect Secure and Policy Secure instances across their environment. The exposure management capabilities will detect all Internet accessible VPN gateways and highlight the presence of CVE-2024-21887 and CVE-2023-46805. This real-time visibility enables immediate patching and mitigation of vulnerable systems before they can be maliciously exploited. The software inventory and vulnerability management features will further identify unsupported versions susceptible to compromise so that additional defenses can be implemented proactively.
By using Cyber Exposure Management, enabling Attack Surface Management (Passive Scanning), customers can take swift action to evaluate and strengthen security controls for Ivanti VPN products against these severe zero-day vulnerabilities.
Conclusion
The race is now on as businesses hurry to determine their exposure before attackers take advantage. With exploitation in the wild, companies must scrutinize their Connect Secure and Policy Secure gateways. Rapid detection and response is essential to mitigate the potential damage from these severe vulnerabilities being leveraged by sophisticated adversaries.
Though patching will help, challenges will persist. Legacy systems may remain unpatched indefinitely, technical debt continues to accrue, and new vulnerabilities are inevitable. Organizations must apply lessons learned to identify and address risks introduced by critical business tools. Proactive assessment, monitoring, and upgrading of security posture is essential in the ongoing battle to close crucial gaps before they can be exploited at scale.