Ivanti has disclosed multiple vulnerabilities affecting its Connect Secure, Policy Secure, and Neurons for ZTA products. Notably, Ivanti Neurons for ZTA gateways are at risk when they remain unconnected to a ZTA controller. The vulnerabilities in question, CVE-2023-46805 and CVE-2024-21887, were first disclosed on January 10, with two additional vulnerabilities, CVE-2024-21888 and CVE-2024-21893, revealed later on January 31. Of these, CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893 have already been exploited in the wild, with no current exploitation observed for CVE-2024-21888. CVE-2024-21888 presents a privilege escalation vulnerability in the web component, scored at 8.8 (CVSS), and CVE-2024-21893, scored at 8.2, is a server-side request forgery vulnerability in the SAML component, which has seen targeted attacks.
In response to these vulnerabilities, Ivanti has released patches for various versions of Connect Secure and ZTA. The company recommends a factory reset of appliances before applying the patch as a precaution against persistent threats by attackers. Additionally, a temporary mitigation file, “mitigation.release.20240126.5.xml”, has been provided for users. Ivanti advises that any mitigation measures should be removed post-patch application and cautions against pushing configuration changes to appliances with the XML mitigation script in place.
Despite these measures, some threat actors have found workarounds to the initial mitigations, as observed by the US Cybersecurity and Infrastructure Security Agency (CISA). The agency notes that these actors have leveraged vulnerabilities to capture credentials and facilitate further network compromise. Moreover, the reliability of the external integrity checker tool has been compromised, as sophisticated threat actors have found ways to subvert it, minimizing traces of their intrusion.
For users seeking further details, Tenable has provided product coverage for each of these CVEs, available on their respective pages. Ivanti continues to update its advisories and KB articles, and users are encouraged to stay informed for the latest information on patching and mitigation steps. Regular monitoring of systems for signs of compromise remains crucial, along with applying patches as soon as they become available.
If you think you may be affected and would like help investigating the issue, please reach out to csirt@frsecure.com
Links:
https://thehackernews.com/2024/01/alert-ivanti-discloses-2-new-zero-day.html