CISA Instructs Federal Agencies to Disconnect Ivanti VPN Instances Amidst Zero-Day Exploits

February 1, 2024

For the first time in its history, the Cybersecurity and Infrastructure Security Agency (CISA) has mandated federal agencies to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure products within a 48-hour window. The directive was issued in response to the discovery of four zero-day vulnerabilities in Ivanti products, three of which are currently being exploited. Agencies have been given until 11:59PM on February 2, 2024, to comply with the directive.

The CISA has recommended that agencies continue to search for signs of compromise on any systems that have been connected to the affected Ivanti devices. They have also been advised to monitor authentication or identity management services that could be at risk and isolate these systems from enterprise resources as much as possible. The CISA also emphasized the importance of auditing privilege-level access accounts.

Ivanti has recently reported that threat actors are exploiting two zero-day vulnerabilities (CVE-2023-46805, CVE-2024-21887) in Connect Secure and Policy Secure to remotely execute arbitrary commands on targeted gateways. The first vulnerability, CVE-2023-46805, is an Authentication Bypass issue that exists in the web component of Ivanti ICS 9.x, 22.x, and Ivanti Policy Secure. An attacker can exploit this vulnerability to bypass control checks and access restricted resources. The second vulnerability, CVE-2024-21887, is a command injection vulnerability in the web components of Ivanti Connect Secure and Ivanti Policy Secure. An authenticated administrator can exploit this vulnerability by sending specially crafted requests to execute arbitrary commands on the appliance.

Ivanti has also issued a warning about two new high-severity vulnerabilities in its Connect Secure and Policy Secure solutions, referred to as CVE-2024-21888 and CVE-2024-21893. One of these vulnerabilities is currently being actively exploited. The first vulnerability, CVE-2024-21888, is a privilege escalation issue that exists in the web component of Ivanti Connect Secure and Policy Secure. An attacker can exploit this vulnerability to gain admin privileges. The second vulnerability, CVE-2024-21893, is a server-side request forgery vulnerability in the SAML component of Connect Secure, Policy Secure, and Neurons for ZTA. An attacker can exploit this vulnerability to access certain restricted resources.

Ivanti has warned that the situation is still developing and that multiple threat actors can quickly adjust their tactics, techniques, and procedures to exploit these issues in their campaigns. As a temporary workaround, Ivanti recommends importing the 'mitigation.release.20240126.5.xml' file via the download portal to address CVE-2024-21888 and CVE-2024-21893.

Mandiant researchers have recently discovered new malware used by a China-linked APT group known as UNC5221 and other threat groups targeting Ivanti Connect Secure VPN and Policy Secure devices. The cybersecurity firm reported that threat actors are using the malware in post-exploitation activity, likely carried out through automated methods. Mandiant recently observed a mitigation bypass technique used to deploy a custom web shell known as BUSHWALK. Successful exploitation would bypass the initial mitigation provided by Ivanti on Jan. 10, 2024. Mandiant speculates that mitigation bypass activity is highly targeted, restricted, and differs from the mass exploitation activity observed after the disclosure of the Ivanti flaws. Other malware used in the attack is a new variant of the LIGHTWIRE web shell, the Python web shell backdoor CHAINLINE, and FRAMESTING web shell.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.