February 6, 2024: On January 31, CISA issued an emergency directive to all Federal Civilian Executive Branch (FCEB) agencies to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks.
This alert comes as a result of four different zero-day vulnerabilities.
- CVE-2023-46805 (8.2/10 CVSS) – (Confirmed exploited as a zero day)
- Authentication bypass vulnerability of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows remote attacker access to restricted resources via bypass of control checks
- CVE-2024-21887 (9.1/10 CVSS) – (Exploitation confirmed)
- Command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x); Authenticated administrator allowed to send requests and execute arbitrary commands on Ivanti Policy Secure
- CVE-2024-21888 (8.8/10 CVSS)
- Privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x); Elevated privileges of administrator in Ivanti Policy Secure (9.x, 22.x)
- CVE-2024-21893 (8.2/10 CVSS) – (Targeted exploitation confirmed)
- Server-side request forgery vulnerability in SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x); Ivanti Neurons for ZTA allows attacker access to certain restricted resources without authentication
The directive stated that all U.S. government agencies are ordered to take Ivanti VPN products offline within 48-hours going back to February 2.
Additional actions required by CISA include:
- Continue threat hunting on any systems connect to the affected Ivanti device
- Monitor authentication or IAM services that could be exposed
- Isolate systems from enterprise resources to the greatest degree possible
- Continue to audit privilege level access accounts
Agencies should have reported the above actions to CISA and provide updates on these actions.
CISA also lists steps to bring the affected Ivanti products back online in the alert, including instructions on changings passwords and revoking tokens (read more here).
With several confirmed exploitations of these zero day vulnerabilities and the potential for privilege escalation, continuous network monitoring and attack surface management is critical component to identify any threats traversing your network from the affected products, and all potential cyber threats. Proper network segmentation, and components of zero-trust architecture also limits access to resources and can limit privilege escalation attempts and damages.
SecuLore™ OverWatch provides continuous network monitoring and addresses attack surface management through our patented Paladin technology to detect vulnerabilities in your network and detect anomalous behavior. The technology passively captures all traffic on your network to identify threats that are often missed by other layers of security. The packet captures are sent to our Security Operations Center to be processed via a unique behavioral analysis that is constantly reviewed by our team of CEH (Certified Ethical Hackers).
Contact SecuLore for more information to get started with a monitoring option to detect malicious traffic attempting to exploit vulnerabilities on your network security. The packet captures are sent to our Security Operations Center to be processed via a unique behavioral analysis that is constantly reviewed by our team of CEH (Certified Ethical Hackers).
SecuLore Support Team