Ivanti is warning users of its Connect Secure and Policy Secure gateways of a new zero-day vulnerability that is under mass exploitation by various threat actors. The new server-side request forgery (SSRF) flaw, designated CVE-2024-21893, could allow attackers to bypass authentication to gain access to restricted resources on the affected devices.
The warning follows reports of Chinese state-sponsored threat actors exploiting two other zero-day vulnerabilities in the gateways, collectively dubbed “ConnectAround,” to gain initial access, deploy webshells and backdoors, capture credentials and configuration data, and spread further into the victim’s network.
According to the Shadowserver Foundation, exploitation of the now patched ConnectAround flaws has dropped off in favor of exploiting the new zero day, for which at least one proof-of-concept exploit code is publicly available.
The Shadowserver Foundation estimates there are currently approximately 22,500 Ivanti Connect Secure devices exposed on the Internet, however, the foundation can’t determine how many are vulnerable to CVE-2024-21893.
Citing the active exploitation of multiple critical zero-day vulnerabilities, lack of effective mitigations, and lack of security updates for some of the impacted product versions, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) took the unusual step of ordering federal agencies to disconnect all Ivanti Connect Secure and Policy Secure VPN appliances.
Source: Bleeping Computer
Analysis
Given threat actors’ interest in compromising edge devices and gateways, it’s not surprising threat actors have escalated their activities toward the vulnerable Ivanti gateways. Additionally, the delayed development and release of a patch, coupled with the public release of exploit code, has no doubt been a contributing factor to the flaw’s popularity.
Until Ivanti gets ahead of these issues, threat actors will likely find more vulnerabilities in these gateways as they continue to look for ways to maximize the efficiency, persistence, and impact of their current exploits.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in appliances like Ivanti Connect Secure and Policy Secure. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities. Covalence users are automatically notified via the Covalence portal when vulnerable software and devices are detected in their environment and are encouraged to review these AROs as quickly as possible.
Field Effect strongly encourages users of Ivanti Connect Secure and Policy Secure gateways to update affected versions with the latest security patch as soon as possible.
Related articles