Project Hyphae
Search

Playing Whack-a-Mole with Vulnerabilities: Ivanti’s Patching Saga Continues

Share This Post

Ivanti has disclosed multiple vulnerabilities affecting its Connect Secure, Policy Secure, and Neurons for ZTA products. Notably, Ivanti Neurons for ZTA gateways are at risk when they remain unconnected to a ZTA controller. The vulnerabilities in question, CVE-2023-46805 and CVE-2024-21887, were first disclosed on January 10, with two additional vulnerabilities, CVE-2024-21888 and CVE-2024-21893, revealed later on January 31. Of these, CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893 have already been exploited in the wild, with no current exploitation observed for CVE-2024-21888. CVE-2024-21888 presents a privilege escalation vulnerability in the web component, scored at 8.8 (CVSS), and CVE-2024-21893, scored at 8.2, is a server-side request forgery vulnerability in the SAML component, which has seen targeted attacks.

In response to these vulnerabilities, Ivanti has released patches for various versions of Connect Secure and ZTA. The company recommends a factory reset of appliances before applying the patch as a precaution against persistent threats by attackers. Additionally, a temporary mitigation file, “mitigation.release.20240126.5.xml”, has been provided for users. Ivanti advises that any mitigation measures should be removed post-patch application and cautions against pushing configuration changes to appliances with the XML mitigation script in place.

Despite these measures, some threat actors have found workarounds to the initial mitigations, as observed by the US Cybersecurity and Infrastructure Security Agency (CISA). The agency notes that these actors have leveraged vulnerabilities to capture credentials and facilitate further network compromise. Moreover, the reliability of the external integrity checker tool has been compromised, as sophisticated threat actors have found ways to subvert it, minimizing traces of their intrusion.

For users seeking further details, Tenable has provided product coverage for each of these CVEs, available on their respective pages. Ivanti continues to update its advisories and KB articles, and users are encouraged to stay informed for the latest information on patching and mitigation steps. Regular monitoring of systems for signs of compromise remains crucial, along with applying patches as soon as they become available.

If you think you may be affected and would like help investigating the issue, please reach out to csirt@frsecure.com


Links:
https://thehackernews.com/2024/01/alert-ivanti-discloses-2-new-zero-day.html

https://www.tenable.com/blog/cve-2023-46805-cve-2024-21887-cve-2024-21888-and-cve-2024-21893-frequently-asked-questions

https://www.bleepingcomputer.com/news/security/ivanti-warns-of-new-connect-secure-zero-day-exploited-in-attacks/



Reach out to our incident response team for help

More To Explore

Information Security News 8-26-2024

Major Backdoor in Millions of RFID Cards Allows Instant Cloning Article Link: https://www.securityweek.com/major-backdoor-in-millions-of-rfid-cards-allows-instant-cloning Georgia Tech Sued Over Cybersecurity Violations https://www.infosecurity-magazine.com/news/georgia-tech-sued-cybersecurity Halliburton Hit by Cyberattack, Operations

Information Security News 8-19-2024

Hackers Leak 2.7 Billion Data Records with Social Security Numbers Article Link: https://www.bleepingcomputer.com/news/security/hackers-leak-27-billion-data-records-with-social-security-numbers DDoS Attacks Surge 46% in First Half of 2024 Article Link: https://thehackernews.com/2024/08/ddos-attacks-surge-46-in-first-half-of.html

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.