Attackers Use Multiple Ivanti Connect Secure and Policy Secure Gateway Bugs

In a significant cybersecurity development, threat actors have exploited multiple vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways, prompting urgent responses from cybersecurity agencies and Ivanti itself.

The vulnerabilities, identified as CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893, impact all supported versions of these products, raising concerns over the security of networks utilizing these gateways[2].

Ivanti has identified multiple vulnerabilities in its Connect Secure and Policy Secure gateways, underscoring its commitment to delivering and maintaining secure products. The company is dedicated to upholding high security standards and actively collaborates with the security community to address vulnerabilities responsibly.

Discovery and Disclosure: Identifying the Threats

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings and directives in response to these vulnerabilities, highlighting the severity of the threat they pose. CISA has cautioned against using hacked Ivanti VPN gateways even after factory resets, indicating that attackers can maintain persistence and evade detection by Ivanti’s internal and external Integrity Checker Tool (ICT) on Ivanti Connect Secure, exploiting the vulnerabilities for authentication bypass, command injection, and more[4].

New vulnerabilities were discovered in Ivanti Connect Secure and Policy Secure gateways, reported as CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893. These vulnerabilities affect all supported versions of the products, prompting Ivanti to take immediate action to mitigate the risks.

Immediate Actions: Mitigation and Patching

Ivanti released patches and mitigation measures to address the identified vulnerabilities. A patch addressing all known vulnerabilities is now available for specific versions of Ivanti Connect Secure and Policy Secure. Customers are urged to apply these patches promptly to protect their systems[3].

Ivanti, a leading software company, has acknowledged the discovery of these vulnerabilities in its Connect Secure and Policy Secure gateways, formerly known as Pulse Secure. In response, Ivanti has released patches and mitigations to address these vulnerabilities, emphasizing its commitment to maintaining high security standards for its products. The company has worked closely with the cybersecurity community, including Volexity and Mandiant, to identify and address these issues promptly[2].

Collaboration and Acknowledgment: Partnering with Security Researchers

Ivanti extends its gratitude to Volexity and Mandiant for their assistance in identifying and reporting the vulnerabilities. This collaboration highlights the importance of the security community’s role in enhancing cybersecurity[3].

The vulnerabilities have seen broad exploitation activity, with a China-linked threat group tracked as UNC5221 and other uncategorized threat groups actively exploiting them. Researchers at Mandiant and Google Cloud-owned Mandiant have reported that the attacks by UNC5221 date back to early December, highlighting the global and varied nature of the targets, which include small businesses and some of the world’s largest organizations[7][8].

Ongoing Efforts: Continuous Improvement and Vigilance

Ivanti remains committed to continuously reviewing and improving its products’ security. The company has initiated an aggressive code review process and is focused on addressing any potential vulnerabilities as part of its product incident response process[7].

CISA’s advisory notes that nation-state actors have exploited some of these vulnerabilities as zero-days, with previous incidents involving suspected Chinese threat groups breaching defense and financial organizations across the United States and Europe using another Connect Secure zero-day tracked as CVE-2021-22893[4].

Customer Guidance: Steps to Take

Customers are advised to apply the available patches and follow the detailed instructions provided in Ivanti’s Security Advisory. Ivanti’s Support team is available to assist customers and partners with any questions or concerns[3][7].

In light of the substantial threat posed by these vulnerabilities, CISA ordered all U.S. federal agencies to disconnect Ivanti Connect Secure and Ivanti Policy Secure instances from their networks by a specified deadline. This directive underscores the seriousness of the threat and serves as a warning to private-sector organizations about the ongoing risk[7].

Future Preparedness: Strengthening Security Posture

Ivanti is dedicated to investing in the security of its solutions, ensuring they meet the company’s high standards. The company emphasizes the importance of responsible vulnerability disclosure and is committed to learning from these incidents to prevent future vulnerabilities[7].

Ivanti has released patches addressing these vulnerabilities and has disclosed additional zero-day flaws affecting the devices. The company has urged customers to apply the patches and mitigations available to protect their networks. Ivanti’s response includes detailed instructions on patch availability and how to mitigate the vulnerabilities, with support teams ready to assist customers and partners[2].

A Partnership for a Secure Future

Ivanti appreciates the patience and support of its customers during this time. The company is actively engaged in resolving the situation and is committed to transparency and clear communication with its customers. Ivanti’s efforts to address these vulnerabilities demonstrate its dedication to security and its commitment to its customers’ safety[7].

This outline provides a structured approach to rewriting the press release, focusing on the key themes of commitment to security, immediate actions taken, collaboration with the security community, ongoing efforts for improvement, guidance for customers, future preparedness, and a conclusion that reaffirms Ivanti’s dedication to security.

The exploitation of vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways represents a significant cybersecurity threat. The collaborative efforts of Ivanti, cybersecurity agencies like CISA, and the broader security community are crucial in addressing these vulnerabilities and safeguarding networks against potential breaches.

Organizations using these products are urged to apply the available patches and follow the guidance provided by Ivanti and CISA to mitigate the risks associated with these vulnerabilities.

Leave A Comment