Active Exploitation of Zero Day Vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure Gateways

Published on 11 Jan 2024

First update on 02 Feb 2024:

Ivanti has reported that these vulnerabilities are actively exploited by threat actors.

Users and administrators with impacted systems are advised to disconnect and isolate the impacted appliance(s) from the networks and any enterprise resources to the greatest degree possible. They are also advised to run the external Integrity Checker Tool (ICT)  to identify potential signs of compromise. 

Ivanti has announced that patches will be released in a staggered schedule. Users and administrators of affected Ivanti products should download and apply the official patch immediately. If a previous mitigation (XML file) was applied before the patch, it can be removed once the patch has been applied. The mitigation removal XML process can be found in the download portal at  https://forums.ivanti.com/s/product-downloads.

If a patch is not yet available for a vulnerable appliance, users and administrators are advised to apply the mitigation patch (via importing the mitigation.release.20240126.5.xml file) after the upgrade has been completed. Do note that applying the XML file may impact functionality and features of an appliance, including SAML authentication.

Refer to this advisory for immediate actions to take to protect against multiple zero-day vulnerabilities in Ivanti products. 

********

Original alert published on 11 Jan 2024:

 

Ivanti has disclosed two zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) that are being actively exploited. 

The vulnerabilities are:

  • CVE-2023-46805: Successful exploitation of this authentication bypass vulnerability in the web component of vulnerable versions of Ivanti Connect Secure and Ivanti Policy Secure may allow a remote attacker to access restricted resources by bypassing control checks.
  • CVE-2024-21887: Successful exploitation of a command injection vulnerability in web components of vulnerable versions of Ivanti Connect Secure and Ivanti Policy Secure may allow an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

The aforementioned vulnerabilities affect Ivanti Connect Secure and Ivanti Policy Secure versions 9.x and 22.x.

Ivanti has announced that patches will be released in a staggered schedule, with the first version targeted to be available to users and administrators in the week of 22 January 2024 and the final version targeted to be available on the week of 19 February 2024. 

In the meantime, users and administrators of affected product versions are advised to apply the mitigation measures by importing the mitigation.release.20240107.1.xml file via the Ivanti download portal. Instructions on how to implement the mitigation and the possible impact on services are available here: https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

More information is available here:

https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

 

Tags
Alerts Alerts & Advisories
Share