February 9, 2024 update
On February 8, 2024, Ivanti released an advisory for a new authentication bypass high severity vulnerability, CVE-2024-22024 impacting Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways. The flaw in the SAML component of the mentioned products allows an attacker to access certain restricted resources without authentication. On February 9, 2024, the vulnerability has been reported to be exploited in-the-wild.
Customers are advised to patch urgently to the fixed versions: Connect Secure versions 9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3,22.6R2.2), Ivanti Policy Secure versions 9.1R17.3, 9.1R18.4, 22.5R1.2 and ZTA gateways versions 22.5R1.6, 22.6R1.5, 22.6R1.7.
Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances in their environment.
More information about the vulnerability is available in a blog post by watchTowr Labs, who discovered the issue.
****
On January 10, 2024, Ivanti released an advisory along with mitigation strategies (but no patches) for two vulnerabilities affecting Connect Secure VPN devices: CVE-2023-46805 and CVE-2024-21887. When exploited in tandem, they enable unauthenticated remote code execution, and Ivanti urged immediate customer response. A few days later, researchers announced that they had identified active exploitation of these vulnerabilities as 0-days, dating back to December 2023, and provided details of the related threat activity.
A few weeks later, on January 31, 2024, Ivanti disclosed two more high-severity vulnerabilities: CVE-2024-21888, a privilege escalation flaw, and CVE-2024-21893, a server-side request forgery (SSRF), affecting both Ivanti Connect Secure and Ivanti Policy Secure. Ivanti has confirmed that one of these vulnerabilities (CVE-2024-21893) has also been exploited in the wild as a 0-day. Promptly following these disclosures, Ivanti made patches available for all four vulnerabilities, and as of February 1, 2024, patches are available for all affected major versions.
In response to the above disclosures, the US Cybersecurity and Infrastructure Security Agency (CISA) mandated that US federal agencies must disconnect affected products from their networks by February 2, 2024, and undertake immediate threat hunting and monitoring activities. Agencies were also instructed to isolate affected systems, audit privileged access, and follow a specific protocol to reset, upgrade, and reconfigure the compromised devices according to Ivanti’s guidelines, including revoking and reissuing all compromised credentials by March 1, 2024.
Wiz customers can check the Wiz Inventory to pinpoint all resources running Ivanti Connect Secure or Policy Secure in their cloud environment, as identified by either agentless or unauthenticated scanning. Additionally, customers can use Wiz Threat Center queries and controls to search for instances of the above-mentioned vulnerabilities.
What are these vulnerabilities?
CVE-2023-46805
This vulnerability allows for an authentication bypass within the web component of Ivanti Connect Secure (versions 9.x and 22.x) and Ivanti Policy Secure. It enables a remote attacker to circumvent control checks and gain access to restricted resources.
CVE-2024-21887
In the web components of Ivanti Connect Secure (versions 9.x and 22.x) and Ivanti Policy Secure, a command injection flaw exists. This issue permits an authenticated administrator to craft and send requests that can execute arbitrary commands on the appliance, with the potential for exploitation over the internet.
CVE-2024-21888
A flaw in the web component of both Ivanti Connect Secure and Ivanti Policy Secure, across versions 9.x and 22.x, presents a privilege escalation risk. This vulnerability allows a user to gain administrator-level privileges.
CVE-2024-21893
A server-side request forgery (SSRF) vulnerability has been identified in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure (both versions 9.x and 22.x), and Ivanti Neurons for ZTA. This vulnerability enables an attacker to access certain restricted resources without needing to authenticate.
Wiz Research data: what’s the risk to cloud environments?
According to Wiz data, less than 1% of cloud environments have publicly exposed instances vulnerable to either CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 or CVE-2024-21893.
What sort of exploitation has been identified in the wild?
A suspected China-nexus espionage group, tracked as UNC5221 or UTA0178, was found exploiting CVE-2023-46805, CVE-2024-21887 as 0days as early as December 3, 2023. However, following the public disclosure, widespread exploitation by other groups was observed as well.
Researchers investigating this activity discovered attackers using a bypass technique which successfully evaded initial mitigation guidance provided by Ivanti. Researchers have also identified various webshells, backdoors and other malware associated with the campaigns exploiting these vulnerabilities, and Ivanti customers should scan their environments for the indicators of compromise (IOCs) listed in the references below.
Which products are affected?
These vulnerabilities impact all supported versions of Ivanti Connect Secure and Policy Secure – Version 9.x and 22.x.
Which actions should security teams take?
Ivanti released patches for the vulnerabilities on January 31 and February 1, 2024. It is recommended to install the patched versions - 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1.
Prior to releasing patches, Ivanti provided guidance on implementing a workaround involving importing an XML file from their download portal. While patching is preferred, any customers unable to apply patches at this time are advised to either use the workaround or avoid publicly exposing these products to the Internet for the time being. As mentioned above, CISA has mandated that federal agencies must disconnect affected products from their networks.
Prevention using Wiz
Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances in their environment.
As mentioned above, Wiz customers can also use the Inventory to check if and where they are using Ivanti Connect Secure or Policy Secure in their environment.
For any questions or help with patching or mitigating vulnerabilities, please don't hesitate to contact us at threat.hunters@wiz.io.
