{"id":23703,"date":"2024-01-13T13:11:34","date_gmt":"2024-01-13T21:11:34","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2024\/01\/13\/news-17433\/"},"modified":"2024-01-13T13:11:34","modified_gmt":"2024-01-13T21:11:34","slug":"news-17433","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2024\/01\/13\/news-17433\/","title":{"rendered":"Act now! Ivanti vulnerabilities are being actively exploited"},"content":{"rendered":"\n

Software vendor Ivanti has warned customers<\/a> about two actively exploited vulnerabilities in all supported versions of Ivanti Connect Secure and Ivanti Policy Secure Gateways. Successful exploitation would give an attacker the ability to run arbitrary code on Ivanti’s Virtual Private Network (VPN)<\/a> system.<\/p>\n

The warning is echoed by several international security agencies like CISA<\/a> and the German BSI<\/a>. Both are flagging active exploitation of these two chained vulnerabilities. Ivanti Connect Secure is a widely used VPN solution that allows users to connect to their organization’s network.<\/p>\n

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs mentioned in these reports are:<\/p>\n

CVE-2023-46805<\/a> (CVSS score<\/a> 8.2 out of 10): an authentication bypass vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure, which allows a remote attacker to access restricted resources by bypassing control checks.<\/p>\n

CVE-2024-21887<\/a> (CVSS score 9.1 out of 10): A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.<\/p>\n

Ivanti Neurons for Secure Access is not vulnerable to these CVEs. However, the gateways being managed are independently vulnerable to them.<\/p>\n

After attackers have used the authentication bypass to authenticate as an administrator they are able to install webshells on the VPN system to gain persistence, allowing them to execute commands on the compromised devices.<\/p>\n

Active exploitation has been seen as far back as December 3, 2023. These attackers erased log files and turned logging off on the compromised system. Besides that, they had stolen configuration files, altered existing files, dropped remote files, and established a reverse tunnel allowing them unrestricted access.<\/p>\n

One of the dropped files contained a JavaScript that stole the credentials of users that logged in, which could also be used for lateral movement.<\/p>\n

Mitigation<\/h2>\n

Patches will be released on a schedule based on versions, with the first coming out in the week of January 22. The last version will come out the week of February 19.<\/p>\n

\n

\u201cWe are releasing patches based upon telemetry information available to us from current installed solutions that notify us of the version number they are running. We are releasing patches for the highest number of installs first and then continuing in declining order.\u201d<\/p>\n<\/blockquote>\n

Until then, customers are under advice to apply a workaround and monitor their network traffic for suspicious activity and analyze the logs on their Connect Secure device.<\/p>\n

The workaround requires importing a mitigation.release.20240107.1.xml file which can be obtained via the download portal<\/a> (login required). The XML file is in the zipped format, so you’ll need to unzip and then import the XML file.<\/p>\n