Alex - stock.adobe.com
Ivanti discloses new zero-day flaw, releases delayed patches
While Ivanti customers can start patching two previously disclosed vulnerabilities, they must also address two new flaws for the same product.
Ivanti Wednesday released patches for two critical zero-day vulnerabilities that were disclosed earlier this month, but also warned customers of two new flaws, including a new zero-day that's under exploitation in the wild.
In a security advisory on Jan. 10, Ivanti detailed two zero-day remote code execution vulnerabilities tracked as CVE-2023-46805 and CVE-2024-21887 that affected Ivanti Policy Secure (IPS) and Ivanti Connect Secure (ICS). One week later, Volexity, which Ivanti credited with discovery, confirmed that 1,700 devices worldwide had been compromised since early December.
Volexity and Mandiant, which also investigated the exploitation activity, attributed the attacks to a Chinese nation-state threat actor. The vendors also revealed that the threat actor deployed web shells to maintain persistent access on vulnerable ICS devices, which makes mitigation even more difficult.
While Ivanti announced the first round of fixes for CVE-2023-46805 and CVE-2024-21887 Wednesday, the software vendor also disclosed two new bugs in ICS and IPS.
One is a privilege escalation vulnerability tracked as CVE-2024-21888, and the other is a server-side request forgery flaw assigned CVE-2024-21893. Ivanti warned that the latter is a zero-day vulnerability that could allow an unauthenticated attacker to access certain restricted resources and is under active exploitation.
"At the time of publication, the exploitation of CVE-2024-21893 appears to be targeted. Ivanti expects the threat actor to change their behavior and we expect a sharp increase in exploitation once this information is public -- similar to what we observed on 11 January following the 10 January disclosure," Ivanti wrote in an updated security advisory.
Ivanti said it has "no evidence" that CVE-2024-21888 is being exploited against customers. Wednesday's patch release included a fix for all four vulnerabilities for ICS versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1, and ZTA version 22.6R1.3; however, it is a multistep process.
"Out of an abundance of caution, we are recommending as a best practice that customers factory reset their appliance before applying the patch to prevent the threat actor from gaining upgrade persistence in your environment," the advisory said.
Ivanti directed users to a knowledge base article and warned that the process will take three to four hours to complete. In addition to a complicated patching process, Ivanti had pushed back the release date of the patch for the previous zero-day vulnerabilities, which was originally scheduled for the week of Jan. 22.
Ivanti sent the following statement to TechTarget Editorial:
The security of our customers is our top priority. As part of our ongoing investigation, we discovered two additional vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure. We included a fix for these vulnerabilities and previously identified vulnerabilities in the patch released today, and patches planned for release for additional versions will also include a comprehensive fix. And the patches released on January 31 cover the majority of our customers. We also provided a new mitigation in the best interest of our customers while the remaining patch versions are in development.
We strongly encourage customers to apply the patch for their version as it becomes available. While additional patch versions are in development, they should apply the mitigation and run the internal and external ICT.
Post-compromise challenges
On Tuesday, CISA published an alert urging Ivanti customers to apply patches and mitigations as soon as they become available because of ongoing exploitation. The alert warned that threat actors are leveraging the vulnerabilities to gather credentials and deploy web shells that enable additional compromise in victim networks.
"Some threat actors have recently developed workarounds to current mitigations and detection methods and have been able to exploit weaknesses, move laterally, and escalate privileges without detection," CISA wrote in the alert. "CISA is aware of instances in which sophisticated threat actors have subverted the external integrity checker tool (ICT), further minimizing traces of their intrusion."
The ICT helps detect threat activity, and Ivanti added a new functionality that it urged users to run. CISA recommended that organizations that have run ICS 9.x and 22.x versions and Policy Secure gateways since public disclosure implement "continuous threat hunting on any systems connected to -- or recently connected to -- the Ivanti device." The alert also encouraged enterprises to monitor authentication and account usage and implement identity management services.
The alert followed CISA's Emergency Directive (ED) on Jan. 19, which requires federal agencies to mitigate CVE-2023-46805 and CVE-2024-21887. The ED also confirmed that CISA observed widespread exploitation of the Ivanti flaws. In addition to risks listed in the alert, CISA said exploitation could result in full system compromise.
CISA gave agencies a mitigation deadline of Jan. 22.
"CISA has determined these conditions pose an unacceptable risk to Federal Civilian Executive Branch (FCEB) agencies and require emergency action. This determination is based on widespread exploitation of vulnerabilities by multiple threat actors, the prevalence of the affected products in the federal enterprise, the high potential for a compromise of agency information systems, the impact of a successful compromise, and the complexity of the proposed mitigations," CISA wrote in the ED.
Update: CISA issued a supplement to the ED Wednesday that required FCEB agencies to disconnect all ICS and IPS devices by Friday. In addition to following Ivanti's mitigation steps, the agencies must also export configuration settings and revoke and reissue certificates, keys and passwords. CISA mandated a progress check-in on Feb. 5.
"Agencies running the affected products must assume domain accounts associated with the affected products have been compromised," CISA wrote in the supplement. Further instructions for on-premises and cloud accounts were issued with a deadline of March 1. That included resetting passwords twice and revoking tokens.
Tenable research engineers Scott Caveza and Satnam Narang published a blog post on Jan. 10 about the initial Ivanti zero-days. The researchers warned that Pulse Connect Secure has been a popular target for ransomware groups and other nation-state threat actors. They listed eight vulnerabilities that were exploited against the VPN products over the past five years. For example, in 2021, Chinese hackers exploited an authentication bypass vulnerability in Ivanti against government targets.
Updated on 2/1/2024.
Arielle Waldman is a Boston-based reporter covering enterprise security news.