Ivanti Patches High-Risk Vulnerabilities in VPN Gateways

April 3, 2024

Ivanti, a company specializing in IT security software, has released patches to address several vulnerabilities in its Connect Secure and Policy Secure gateways. One of these, a high-risk flaw identified as CVE-2024-21894, could allow unauthenticated attackers to execute remote code and initiate denial of service (DoS) attacks. This could be achieved without user interaction and in low-complexity attack scenarios. The vulnerability stems from a heap overflow issue in the IPSec component of all supported gateway versions. While Ivanti has stated that the risk of remote code execution is limited to 'certain conditions', the specifics of these vulnerable configurations were not disclosed. As of the time of the vulnerability disclosure, Ivanti reported that it was not aware of any customers who had been exploited by these vulnerabilities.

The company also addressed three other security flaws on the same day. These vulnerabilities also affect the same products and could be exploited by unauthenticated threat actors to launch DoS attacks. Ivanti has provided detailed instructions on how to access and apply the security patches in a Knowledge Base Article.

According to Shodan, a search engine used to identify Internet-exposed services and devices, there are currently over 29,000 Ivanti Connect Secure VPN gateways exposed online. Shadowserver, a threat monitoring platform, has identified over 18,000.

This year, nation-state actors have exploited multiple vulnerabilities in Ivanti software. Thousands of Ivanti Connect Secure and Policy Secure endpoints remain at risk. The security vulnerabilities CVE-2023-46805, CVE-2024-21887, CVE-2024-22024, and CVE-2024-21893 were used as zero-days before other attackers used them in widespread attacks to distribute custom malware.

In response to this situation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive to federal agencies. This directive orders the agencies to secure their Ivanti systems against attacks using the zero-day flaws. The directive was later updated to require agencies to disconnect vulnerable Ivanti VPN appliances and rebuild them with patched software before reconnecting them.

Three years ago, suspected Chinese threat groups exploited another Connect Secure zero-day, CVE-2021-22893, to infiltrate numerous government, defense, and financial organizations across the United States and Europe.

Related News

• CISA Systems Compromised Through Ivanti Vulnerabilities, Prompting System Shutdown
• Magnet Goblin Exploits 1-Day Vulnerabilities with New Linux Variant of NerbianRAT Malware
• US CISA Systems Breached: Cybersecurity Measures Under Review
• Five Eyes Intelligence Alliance Issues Warning on Ivanti Gateway Vulnerabilities
• CISA Warns of Persistent Threats on Hacked Ivanti VPN Appliances Even After Factory Resets

Latest News

• Google Addresses Additional Chrome Zero-Day Exploited at Pwn2Own
• Google Patches Two Zero-Day Vulnerabilities in Pixel Phones Exploited by Forensic Firms
• Mispadu Banking Trojan Spreads Across Europe, Compromising Thousands of Credentials
• Binarly Introduces Free Online Scanner to Detect Linux Backdoor
• Malicious Code in XZ Utils for Linux Enables Remote Code Execution