Ivanti discloses two actively exploited zero-day vulnerabilities

Ivanti has disclosed two vulnerabilities in Policy Secure and Connect Secure gateways that are being actively exploited in the wild against a limited number of victims. The first vulnerability, designated CVE-2024-46805, is an authentication bypass flaw, while CVE-2024-21887 is a command injection vulnerability.

By successfully exploiting CVE-2023-46805, threat actors obtain the authentication required to exploit CVE-2024-21887, which allows them to craft malicious requests and execute arbitrary commands on compromised appliances.

Ivanti estimates a patch for the vulnerabilities will be available in late January or February 2024. Until then, Ivanti has advised its clients to import a file via Ivanti’s download portal which will mitigate the risk posed by the vulnerabilities.

According to Shodan.io, over 15,000 Connect Secure and Policy Secure gateways are deployed worldwide, with the majority located in the US and Japan.

Location of Connect Secure and Policy Secure gateways (Source: Shodan.io)

Source: Bleeping Computer

Analysis

With organizations increasingly offering remote employment, appliances running software such as Ivanti’s Policy Secure and Connect Secure gateways are required to facilitate remote access to corporate resources from locations all over the world.

Since these appliances are internet-facing, they can be easily identified using publicly available scanning tools, making them a frequent target for threat actors looking for a foothold to a corporate network of interest.

This isn’t the first time threat actors chained vulnerabilities in Ivanti appliances. In August 2023, the US Cybersecurity and Critical Infrastructure Agency (CISA) issued a warning that state-sponsored threat actors were combining two vulnerabilities, designated CVE-2023-35078 and CVE-2023-35081, in Ivanti’s Mobile Endpoint Manager to deploy web shells and create administrator accounts, which led to threat actors obtaining access to API paths containing names, phone numbers, and other information.

Mitigation

Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in appliances like Ivanti Connect Secure and Policy Secure. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities. Covalence users are automatically notified when vulnerable software and devices are detected in their environment and are encouraged to review these AROs as quickly as possible.

Field Effect strongly encourages users of Ivanti Connect Secure and Policy Secure to download and configure the mitigation file as soon as possible via Ivanti’s download portal and to install the patch once it is available.

Related articles

• Ivanti fixes API authentication bypass vulnerability in Sentry
• CISA warns state-sponsored hackers are actively exploiting vulnerable Ivanti mobile endpoint managers