Immediate Actions to Protect Against Multiple Zero-day Vulnerabilities in Ivanti Products

Published on 02 Feb 2024

Ivanti has flagged multiple vulnerabilities affecting Ivanti Connect Secure (ICS) and Ivanti Policy Secure and Ivanti Neurons for Zero Trust Access (ZTA) gateways. These include three zero-day vulnerabilities, authentication bypass (CVE-2023-46805), command injection (CVE-2024-21887) and server-side request forgery (CVE-2024-21893) vulnerabilities. There are reports that the vulnerabilities are actively exploited by threat actors.

The vulnerabilities are as follows:

CVE-2023-46805: An authentication bypass vulnerability in the web component of vulnerable versions of Ivanti Connect Secure and Ivanti Policy Secure may allow a remote attacker to access restricted resources by bypassing control checks.

CVE-2024-21887: A command injection vulnerability in web components of vulnerable versions of Ivanti Connect Secure and Ivanti Policy Secure may allow an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

CVE-2024-21888: A privilege escalation vulnerability in the web component of Ivanti Connect Secure and Ivanti Policy may allow an attacker to elevate privileges to that of an administrator.

CVE-2024-21893: A server-side request forgery vulnerability in the Security Assertion Markup Language (SAML) component of Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA may allow an unauthenticated attacker to access certain restricted resources.

When chained, the zero-day vulnerabilities allow attackers to move laterally within a target's network, exfiltrate data, and establish persistent system access by deploying backdoors.

The following products are affected by the vulnerabilities:

Ivanti Connect Secure versions 9.x and 22.x

Ivanti Policy Secure versions 9.x and 22.x

Ivanti Neurons for ZTA

Containment Actions

Organisations running impacted systems are advised to perform the following immediate containment and investigative actions:

Disconnect and isolate the impacted appliance(s) from the networks and any enterprise resources to the greatest degree possible.

Run the external Integrity Checker Tool (ICT) to identify potential signs of compromise. Ivanti recommends running the external ICT as there have been observed attempts by threat actors to evade detection by manipulating Ivanti's internal (built-in) ICT.

Provide the results to Ivanti support for further review. Ivanti will decide if the appliance is compromised and recommend next steps. Ivanti can also provide assistance with decryption and capturing a forensic / memory image from the impacted appliance(s).

Perform a forensic review of the captured image(s) to identify additional signs of compromise or malicious activities.

Review available logs from the appliance(s), including:

VPN device logs - ensures the VPN logs can be viewed on the web or exported for offline analysis. This can be accessed via System > Log/Monitoring from the administrative interface.

Unauthenticated Request logging - ensures unauthenticated web requests made to the Connect Secure VPN appliance(s) are recorded in the user logs. This can be configured via System > Log/Monitoring > User Access > Select Events to Log.

Syslog forwarding - ensures appliance logs are available offline from the appliance(s) and cannot be modified. It is recommended that the following log types be configured for SYSLOG forwarding:

Events

User Access

Admin Access

Remediation Measures

Organisations running impacted systems are advised to perform the following remediation measures before bringing them into production:

Preserve a forensic image from the impacted appliance(s) for forensic analysis and investigative purposes.

Backup and export the configuration settings of the impacted appliance(s).

Conduct a factory reset or rebuild the appliance(s) by upgrading TWICE to one of the following supported software versions through Ivanti’s download portal at https://www.ivanti.com/resources/downloads.

When upgrading, any exploited or added files on the device will not persist through the upgrade.

Future rollbacks would make an organisation vulnerable if restoring to the compromised version. Two upgrades remove the compromised version - as only one rollback version is stored on the appliance.

Download and apply the official patch immediately.

If a previous mitigation (XML file) was applied before the patch, it can be removed once the patch has been applied. The mitigation removal XML process can be found in the download portal.

If a patch is not yet available for a vulnerable appliance,

Apply the mitigation patch (via importing the mitigation.release.20240126.5.xml file) after the upgrade has been completed. Do note that applying the XML file may impact functionality and features of an appliance, including SAML authentication.

Stop the push of configurations to appliances once the XML file is in place, and do not resume pushing configurations until formal patches have been issued by Ivanti. This includes any configurations that are pushed using Pulse One and/or nSA. Pushing configurations to an appliance will stop the short-term mitigation from functioning.

Restore the device configuration.

Revoke or rotate any device-specific secrets stored on the appliance(s) prior to compromise.

Revoke and reissue any connected or exposed certificates, keys, and passwords.

Reset the admin enable password.

Reset any stored application programming interface (API) keys.

Reset the password of any local user defined on the gateway, including service accounts used for third-party integrated authentication configurations.

If any credential stealers are identified on an appliance, reset the passwords for any users that authenticated to the appliance(s) during the period when the malware was active.

Hardening Measures

Besides aligning to the best security configuration practices, organisations can consider applying the following recommendations to further harden their systems:

Restrict egress communications from the CS VPN appliance(s). This can mitigate the impact of command-and-control (C2) communications from any backdoors that are present on an appliance.

Disable administrative access to the CS VPN appliance(s) from the external (internet-facing) port. Administrator > Admin Realms > Select Realm > Authentication Policy > Source IP > Ensure that “Enable administrators to sign in on the External Port” is not enabled.

Minimise the scope of internal connectivity paths that could be leveraged for lateral movement from the management interface of CS VPN appliance(s).

If the appliance(s) are configured with a one-arm topology, the following hardening measures should be considered:

Enable Source IP Based Restrictions for the Administrator Realm. Administrators > Admin Realms > Admin Users > Authentication Policy > Source IP

Enable MFA for the administrator sign-in URL.

Configure the Management Port to allow administrators to sign in and disable administrators to sign in on the Internal Port. Administrators > Admin Realms > Admin Users > Authentication Policy > Administrator sign in ports

Disable Session Roaming, which can mitigate the impact of a stolen session cookie being reused by a different IP address that does not correlate to the initial user who logged in.

Users: Users > User Roles > > General > Session Options: Roaming Session, select "Disabled"

Admins: Administrators > Admin Roles >> General > Session Options: Roaming Session, select "Disabled"

Enforce Session Lifetime Limits to reduce the risk of a stolen session being continuously reused by an attacker.

Users: Users > User Roles >> General > Session Options: Session lifetime lengths

Admins: Administrators > Admin Roles > > General > Session Options: Session lifetime lengths

Do not allow Persistent Sessions to reduce the risk of a stolen session being continuously reused by an attacker.

Users: Users > User Roles >> General > Session Options: Persistent Session, select "Disabled"

Admins: Administrators > Admin Roles >> General > Session Options: Persistent Session, select "Disabled"

Enable “Remove Browser Session Cookies” to reduce the risk of stealing browser session cookies.

Users: Users > User Roles >> General > Session Options: Remove Browser Session Cookie, select "Enabled"

Admins: Administrators > Admin Roles >> General > Session Options: Remove Browser Session Cookie, select "Enabled"

Enable “HTTP Only Device Cookie” to reduce the risk of cookie stealing.

Users: Users > User Roles >> General > Session Options: HTTP Only Device Cookie, select "Enabled"

Admins: Administrators > Admin Roles >> General > Session Options: HTTP Only Device Cookie, select "Enabled

Host and Network IOCs

Possible host and network Indicators of Compromise (IOCs) associated with the active campaign are shown in the tables below. Network administrators are advised to configure their firewall rules to block connections to the following network IOCs associated with the campaign while reviewing any prior connections and scan for the presence of the host-based IOCs in their systems.

Network-based Indicators

Network	Indicator	Type	Description
symantke[.]com	Domain	WARPWIRE C2 server	symantke[.]com
miltonhouse[.]nl	Domain	WARPWIRE variant C2 server	miltonhouse[.]nl
entraide-internationale[.]fr	Domain	WARPWIRE variant C2 server	entraide-internationale[.]fr
api.d-n-s[.]name	Domain	WARPWIRE variant C2 server	api.d-n-s[.]name
cpanel.netbar[.]org	Domain	WARPWIRE variant C2 server	cpanel.netbar[.]org
clickcom[.]click	Domain	WARPWIRE variant C2 server	clickcom[.]click
clicko[.]click	Domain	WARPWIRE variant C2 server	clicko[.]click
duorhytm[.]fun	Domain	WARPWIRE variant C2 server	duorhytm[.]fun
line-api[.]com	Domain	WARPWIRE variant C2 server	line-api[.]com
areekaweb[.]com	Domain	WARPWIRE variant C2 server	areekaweb[.]com
ehangmun[.]com	Domain	WARPWIRE variant C2 server	ehangmun[.]com
secure-cama[.]com	Domain	WARPWIRE variant C2 server	secure-cama[.]com
146.0.228[.]66	IPv4	WARPWIRE variant C2 server	146.0.228[.]66
159.65.130[.]146	IPv4	WARPWIRE variant C2 server	159.65.130[.]146
8.137.112[.]245	IPv4	WARPWIRE variant C2 server	8.137.112[.]245
91.92.254[.]14	IPv4	WARPWIRE variant C2 server	91.92.254[.]14
186.179.39[.]235	IPv4	Mass exploitation activity	186.179.39[.]235
50.215.39[.]49	IPv4	Post-exploitation activity	50.215.39[.]49
45.61.136[.]14	IPv4	Post-exploitation activity	45.61.136[.]14

Host-Based Indicators

Filename	MD5	Description
health[.]py	3045f5b3d355a9ab26ab6f44cc831a83	CHAINLINE web shell
compcheckresult.cgi	3d97f55a03ceb4f71671aa2ecf5b24e9	LIGHTWIRE web shell
lastauthserverused.js	2ec505088b942c234f39a37188e80d7a	WARPWIRE credential harvester variant
lastauthserverused.js	8eb042da6ba683ef1bae460af103cc44	WARPWIRE credential harvester variant
lastauthserverused.js	a739bd4c2b9f3679f43579711448786f	WARPWIRE credential harvester variant
lastauthserverused.js	a81813f70151a022ea1065b7f4d6b5ab	WARPWIRE credential harvester variant
lastauthserverused.js	d0c7a334a4d9dcd3c6335ae13bee59ea	WARPWIRE credential harvester
lastauthserverused.js	e8489983d73ed30a4240a14b1f161254	WARPWIRE credential harvester variant
category[.]py	465600cece80861497e8c1c86a07a23e	FRAMESTING web shell
logo.gif	N/A — varies	Configuration and cache dump or CAV web server log exfiltration
login.gif	N/A — varies	Configuration and cache dump
[a-fA-F0-9]{10}\.css	N/A — varies	Configuration and cache dump
visits[.]py	N/A — varies	WIREFIRE web shell

Report a Compromise

Singapore organisations affected by these vulnerabilities should report to SingCERT if any evidence of compromise is found. A report can be made via our Incident Reporting Form at https://go.gov.sg/singcert-incident-reporting-form.

More information is available here: