Ivanti Patches High-Risk Vulnerabilities in VPN Gateways

April 3, 2024

Ivanti, a company specializing in IT security software, has released patches to address several vulnerabilities in its Connect Secure and Policy Secure gateways. One of these, a high-risk flaw identified as CVE-2024-21894, could allow unauthenticated attackers to execute remote code and initiate denial of service (DoS) attacks. This could be achieved without user interaction and in low-complexity attack scenarios. The vulnerability stems from a heap overflow issue in the IPSec component of all supported gateway versions. While Ivanti has stated that the risk of remote code execution is limited to 'certain conditions', the specifics of these vulnerable configurations were not disclosed. As of the time of the vulnerability disclosure, Ivanti reported that it was not aware of any customers who had been exploited by these vulnerabilities.

The company also addressed three other security flaws on the same day. These vulnerabilities also affect the same products and could be exploited by unauthenticated threat actors to launch DoS attacks. Ivanti has provided detailed instructions on how to access and apply the security patches in a Knowledge Base Article.

According to Shodan, a search engine used to identify Internet-exposed services and devices, there are currently over 29,000 Ivanti Connect Secure VPN gateways exposed online. Shadowserver, a threat monitoring platform, has identified over 18,000.

This year, nation-state actors have exploited multiple vulnerabilities in Ivanti software. Thousands of Ivanti Connect Secure and Policy Secure endpoints remain at risk. The security vulnerabilities CVE-2023-46805, CVE-2024-21887, CVE-2024-22024, and CVE-2024-21893 were used as zero-days before other attackers used them in widespread attacks to distribute custom malware.

In response to this situation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive to federal agencies. This directive orders the agencies to secure their Ivanti systems against attacks using the zero-day flaws. The directive was later updated to require agencies to disconnect vulnerable Ivanti VPN appliances and rebuild them with patched software before reconnecting them.

Three years ago, suspected Chinese threat groups exploited another Connect Secure zero-day, CVE-2021-22893, to infiltrate numerous government, defense, and financial organizations across the United States and Europe.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.