Active Exploitation of Vulnerability in Ivanti Products

Published on 02 Feb 2024 | Updated on 09 Feb 2024

Ivanti has released security updates to address two high severity vulnerabilities (CVE-2024-21888 and CVE-2024-21893) in Ivanti Connect Secure (ICS), Ivanti Policy Secure and Ivanti Neurons for ZTA. CVE-2024-21893 is reportedly being actively exploited.

The vulnerabilities are:

  • CVE-2024-21888: A privilege escalation vulnerability in the web component of Ivanti Connect Secure and Ivanti Policy may allow an attacker to elevate privileges to that of an administrator.
  • CVE-2024-21893: A server-side request forgery vulnerability in the Security Assertion Markup Language (SAML) component of Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for Zero Trust Access (ZTA) may allow an unauthenticated attacker to access certain restricted resources.

The following products are affected by the vulnerabilities:

  • Ivanti Connect Secure versions 9.x and 22.x
  • Ivanti Policy Secure versions 9.x and 22.x
  • Ivanti Neurons for ZTA

 

[UPDATE, 2nd Feb 2024] : Users and administrators with impacted systems are advised to disconnect and isolate the impacted appliance(s) from the networks and any enterprise resources to the greatest degree possible. They are also advised to run the external Integrity Checker Tool (ICT)  to identify potential signs of compromise. 

Ivanti has announced that patches will be released in a staggered schedule. Users and administrators of affected Ivanti products should download and apply the official patch immediately. If a previous mitigation (XML file) was applied before the patch, it can be removed once the patch has been applied. The mitigation removal XML process can be found in the download portal at  https://forums.ivanti.com/s/product-downloads.

If a patch is not yet available for a vulnerable appliance, users and administrators are advised to apply the mitigation patch (via importing the mitigation.release.20240126.5.xml file) after the upgrade has been completed. Do note that applying the XML file may impact functionality and features of an appliance, including SAML authentication.

Refer to this advisory for immediate actions to take to protect against multiple zero-day vulnerabilities in Ivanti products. 

[Update, 9th Feb 2024]: Ivanti has released security updates to address a separate authentication bypass vulnerability in their products. Read the alert here.

More information is available at:

https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US

https://www.bleepingcomputer.com/news/security/ivanti-warns-of-new-connect-secure-zero-day-exploited-in-attacks/