This advisory is for organizations that use Ivanti Connect Secure as a VPN solution or Ivanti Policy Secure as a network access control solution. If your organization does not use Ivanti products, this notification may be discarded.
Summary
Ivanti has released Security Advisories and made mitigation strategies available to address an authentication bypass and command injection vulnerabilities on targeted gateways. These attacks may be chained to allow an unauthenticated remote user to obtain administrative access and run arbitrary commands on affected platforms.
These vulnerabilities are being actively exploited.
CVE-2023-46805 – Authentication bypass vulnerability
CVSSv3: 8.2
This is an authentication bypass vulnerability that can circumvent MFA controls in the web component of Ivanti Connect Secure and Ivanti Policy Secure which would allow an attacker to bypass control checks and obtain authenticated access.
CVE-2024-21887 – Command injection vulnerability
CSVVv3: 9.1
Would allow an attacker to send privileged requests and execute arbitrary commands on Ivanti Connect Secure and Ivanti Policy Secure.
Affected Platforms
Ivanti Connect Secure v. 9.x, 22.x
Ivanti Policy Secure
Mitigations
Though a patch has not yet been released, Ivanti has provided mitigation strategies. Ivanti warns that these mitigations will result in product service degradation.
“We have seen evidence of threat actors attempting to manipulate Ivanti’s internal integrity checker (ICT). Out of an abundance of caution, we are recommending that all customers run the external ICT. We have added new functionality to the external ICT that will be incorporated into the internal ICT in the future. We regularly provide updates to the external and internal ICT, so customers should always ensure they are running the latest version of each.”
https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
Additional Resources
https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
https://www.cisa.gov/news-events/alerts/2024/01/10/ivanti-releases-security-update-connect-secure-and-policy-secure-gateways
https://www.bleepingcomputer.com/news/security/ivanti-warns-of-connect-secure-zero-days-exploited-in-attacks/
