TR-78 - CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways + CVE-2024-21888 + CVE-2024-21893

TR-78 - CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways + CVE-2024-21888 + CVE-2024-21893

Back to Publications and Presentations

  1. Recommendations
  2. Notifications
  3. Vulnerable systems and exploitation in Luxembourg
  4. Detection and Incident Response
  5. References
  6. Classification of this document
  7. Revision

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.

Search


CIRCL is accredited TI CIRCL is a FIRST member CIRCL is an OASIS member

Ivanti has issued a security patch to rectify two significant vulnerabilities in all supported versions (9.x and 22.x) of Connect Secure and Policy Secure gateways. These include an authentication bypass issue (CVE-2023-46805) and a command injection flaw (CVE-2024-21887). If exploited, these vulnerabilities could enable a cyber threat actor to seize control of the impacted system. In addition to the two previous vulnerabilities, CVE-2024-21888 and CVE-2024-21893 are affecting Ivanti Connect Secure and Ivanti Policy Secure. CVE-2024-21888 is a privilege escalation vulnerability in web component allows a user to elevate privileges to that of an administrator. CVE-2024-21893 is a server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

Recommendations

  • There is a workaround available from the vendor until they release patches in the week of January 22.
  • The vendor Ivanti mentions the following concerning release “Patches for supported versions will be released in a staggered schedule with the first version targeted to be made available for customers the week of 22nd January, 2024. The last version is targeted to be made available the week of 19th February 2024. Instructions on how to upgrade to a supported version will also be provided.” KB CVE-2023-46805
  • If you don’t require the VPN services, disabling the device is another option.
  • If VPN service is required, consider implementing an alternative solution.
  • It’s almost heartwarming to see our supplier finally roll out security patches, albeit at a pace that would embarrass a snail. In the meantime, while we wait with bated breath, this could be an excellent moment to ponder whether our current VPN provider is a champion of cybersecurity or just a champion of testing our patience.
  • From Ivanti (31th January 2023) - Out of an abundance of caution, we are recommending as a best practice that customers factory reset their appliance before applying the patch to prevent the threat actor from gaining upgrade persistence in your environment. Our recommendation goes a bit further: organizations must continue to search for any lateral movement within their infrastructure before applying any mitigation measures, and also after a patch has been applied, considering the current practice of vendor disclosure.

Notifications

CIRCL (Computer Incident Response Center Luxembourg) sends notifications to ISPs and known contact points when publicly exposed vulnerable devices were discovered. If you would like to directly share your IP resources for notifying the appropriate contact point, please reach out to us.

Vulnerable systems and exploitation in Luxembourg

Compromised Ivanti gateways have been identified and actively exploited in Luxembourg. We advise implementing a comprehensive incident response protocol for affected systems along with the connected infrastructure. This should include thorough log analysis and detailed file forensic examination.

Detection and Incident Response

  • The MISP event ab1a2393-2d57-46c9-91ab-16a4cc4b0b03 “Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN” contains Yara rules, indicators as described by Volexity. The event is available in the MISP CIRCL OSINT feed.
  • The MISP event 81866b54-7f4b-42f0-bcc1-84b7d8578e74 “OSINT - KrustyLoader - Rust malware linked to Ivanti ConnectSecure compromises” contains indicator about additional threat actors abusing Ivanti devices. The event is available in the MISP CIRCL OSINT feed.
  • The MISP event 34237efb-adf4-452b-a322-0cbed70c7b33 “Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation” contains indicators about additional threat actors abusing Ivanti devices. The event is available in the MISP CIRCL OSINT feed.

References

Classification of this document

TLP:CLEAR information may be distributed without restriction, subject to copyright controls.

Revision

  • Version 1.0 - TLP:CLEAR - First version - 10th January 2024
  • Version 1.1 - TLP:CLEAR - Minor updates - 11th January 2024
  • Version 1.2 - TLP:CLEAR - Exploitation in Luxembourg added - 15th January 2024
  • Version 1.3 - TLP:CLEAR - Trying to clarify the messy disclosure of Ivanti