Ivanti is warning users of its Standalone Sentry servers to patch a critical vulnerability that could allow unauthenticated threat actors with network access to execute arbitrary commands via low-complexity attacks.
The flaw, designated CVE-2023-41724, was originally discovered by NATO security researchers and affects all supported versions of Standalone Sentry, which is typically deployed as an organization's Kerberos Key Distribution Center Proxy (KKDCP) server or as a gatekeeper for ActiveSync-enabled Exchange and SharePoint servers.
Ivanti also addressed a separate critical vulnerability in its Neurons for ITSM IT service management solution. This flaw, designated CVE-2023-46808, could enable threat actors with remote access to a low-privilege account to execute commands. Only unpatched, on-premise Neurons deployments are still vulnerable to potential attacks as all Ivanti Neurons for ITSM Cloud landscapes have already been updated.
Ivanti noted that it has not found any evidence to indicate that these two vulnerabilities have been exploited in the wild, however, users should apply the appropriate security patches as soon as possible.
Source: Bleeping Computer
Analysis
So far, 2024 has proven to be a rough year for Ivanti, with nation-state actors exploiting multiple Ivanti vulnerabilities as zero days to deploy various custom malware strains. Additionally, Ivanti was the subject of the Cybersecurity and Infrastructure Security Agency’s (CISA) first emergency directive of 2024 that ordered federal agencies to secure Ivanti Connect Secure and Policy Secure systems against zero-day flaws targeted in widespread attacks.
Only two weeks later, citing the active exploitation of multiple critical zero-day vulnerabilities, lack of effective mitigations, and lack of security updates for some of the impacted product versions, CISA changed the directive to order agencies to disconnect all vulnerable Ivanti VPN appliances and replace them with fresh rebuilds.
Making matters worse for network defenders, some deployed Ivanti gateways are still using names and running versions of firmware from before Ivanti acquired Pulse Secure and MobileIron in 2020. As a result, network defenders may be dismissing warnings of Ivanti vulnerabilities because they aren’t aware they are running Ivanti gateways due to the different naming schemes.
Until Ivanti gets ahead of these issues, threat actors will likely find more vulnerabilities in these gateways as they continue to look for ways to maximize the efficiency, persistence, and impact of their current exploits.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in appliances like Ivanti servers and gateways. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities. Covalence users have been automatically notified via the Covalence Portal if the vulnerable Ivanti solutions were detected in their environment and are encouraged to follow the mitigative advice included in these AROs as quickly as possible.
Field Effect strongly encourages users of the affected Ivanti solutions to update versions with the latest security patch as soon as possible. Additionally, users of legacy Pulse Secure and MobileIron appliances should update to the latest secure version of the equivalent Ivanti appliance so that critical warnings and updates aren’t mistakenly dismissed.
While CISA’s directive regarding Ivanti vulnerabilities only applies to U.S. federal agencies, any organization that wishes to maintain a high level of cybersecurity may wish to heed CISA’s directive if feasible.
Related articles
