Home / Threat Intelligence bulletins / Ivanti discloses two additional vulnerabilities: privilege escalation and access to restricted resources

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Two additional vulnerabilities have been announced by Ivanti which affect all currently supported versions of the Ivanti Connect Secure, Ivanti Policy Secure, and Zero Trust Access (ZTA) gateway products (i.e. version number 9.x or 22.x). These both have high severity scores, and are being tracked as CVE-2024-21888 (CVSS score: 8.8) and CVE-2024-21893 (CVSS 8.2). The US Cybersecurity & Infrastructure Security Agency (CISA) has issued a supplemental to emergency directive 24-01 instructing federal agencies to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure no later than 11:59 PM on 2nd February 2024.

Impact

CVE-2024-21888 allows a user to elevate their privileges to an administrator level through the use of a vulnerability in the web component of Ivanti Connect Secure and Ivanti Policy Secure.

CVE-2024-21893 allows unauthenticated access to certain restricted resources through a server-side request forgery (SSRF) vulnerability in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA.

Vulnerability Detection

All currently supported versions of Ivanti Connect Secure, Ivanti Policy Secure, and Zero Trust Access (ZTA) gateway products which have not been patched are at risk from these vulnerabilities.

Affected Products

  • Affected by CVE-2024-21888:
  • Ivanti Connect Secure (9.x, 22.x)
  • Ivanti Policy Secure (9.x, 22.x)

Affected by CVE-2024-21893:

  • Ivanti Connect Secure (9.x, 22.x)
  • Ivanti Policy Secure (9.x, 22.x)
  • Ivanti Neurons for ZTA

Containment, Mitigations, and Remediations

Ivanti advises that patches for these vulnerabilities are available through the standard download portal for ZTA version 22.6R1.3, Ivanti Policy Secure version 22.5R1.1, and for the following versions of Ivanti Connect Secure: 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1, and 22.5R2.2.

Patches for other supported versions will be released on a staggered schedule. Mitigations are available to download for versions which do not yet have a patch, but these mitigations do not need to be applied if this new patch has been applied. Previous Ivanti vulnerabilities CVE-2023-46805 and CVE-2024-21887 are also remediated with this patch.

The CISA supplemental to ED 24-01 contains a list of additional steps which should be undertaken by federal agencies running affected Ivanti products. This starts with disconnecting all instances of Ivanti Connect Secure and Ivanti Policy Secure no later than 11:59 PM on 2nd February, and continuing threat hunting on any systems which have recently connected with the affected Ivanti device. Authentication and identity management services which may have been affected by exposure to affected Ivanti devices should also be monitored for potential signs of compromise, alongside continued auditing of privilege level access accounts. Systems affected by these Ivanti vulnerabilities should be isolated from enterprise infrastructure as much as possible.

To bring Ivanti products back into service, CISA advises exporting the configuration settings, then performing a factory reset of the affected Ivanti device. Both Ivanti and CISA advise that this factory reset should be done before applying these patches; this is to prevent threat actors maintaining persistence mechanisms post-patch. After this reset, the device should be rebuilt and upgraded to one of the new supported versions which is patched against these vulnerabilities. The configuration can then be re-imported, and certificates, keys, and passwords which were connected to or exposed to the vulnerable Ivanti device should be revoked and re-issued.

Indicators of Compromise

Ivanti states that at the time of their security advisory, they had no evidence of customers being impacted by CVE-2024-21888, the vulnerability allowing privilege escalation from user to administrator. At least some Ivanti customers have been affected by CVE-2024-21893, the vulnerability which allows unauthenticated access to specific restricted resources.

The previous advisory from Ivanti for CVE-2023-46805 and CVE-2024-21887 states that there is evidence of threat actors tampering with Ivanti’s internal integrity checker tool (ICT), and that an external version of the ICT should be used instead. This external version of ICT should also be used when scanning for the two new CVEs outlined in this bulletin.

Threat Landscape

As outlined in our bulletin on 15th January, some of the infrastructure for previous Ivanti CVEs has been associated with an unidentified Chinese nation-state threat actor. The operations of these groups are likely to be non-data destructive. However, other groups with different motives are also likely to be using these exploits following their public disclosure in the Ivanti security advisory.

Ivanti products are potentially attractive targets for sophisticated threat groups because of their use in high-profile government and public sector networks. It is crucial that the above remediation steps are followed as soon as possible due to the active exploitation of CVE-2024-21893 in the wild.

Threat Actor

No attribution to specific threat actors or groups has been identified at the time of writing.

Further Information

Ivanti security advisory

CVE-2024-21888 Privilege Escalation for Ivanti Connect Secure and Ivanti Policy Secure

KB CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways (modified 1st February)

Supplemental Direction V1: ED 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities