Two Zero-Day Vulnerabilities Impacting Ivanti Connect Secure and Policy Secure Gateways

Note: These vulnerabilities remain under active exploitation, and Kroll experts are investigating. If further details are uncovered by our team, updates will be made to the Kroll Cyber Risk blog.

Two zero-day vulnerabilities have been discovered in Ivanti Connect Secure (ICS), formerly known as Pulse Connect Secure and Ivanti Policy Secure gateways. Tracked as CVE-2024-21887 and CVE-2023-46805, these vulnerabilities have CVSS scores of 9.1 and 8.2 respectively and are actively being exploited in the wild. All supported versions, including versions 9.x and 22.x, are impacted.

Within its advisory, Ivanti states that if both vulnerabilities are leveraged in conjunction with each other, exploitation would not require authentication and could enable the execution of arbitrary commands.

CVE-2024-21887 (CVSS: 9.1)

CVE-2024-21887 is a command injection vulnerability in the web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. It could allow an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

CVE-2023-46805 (CVSS: 8.2)

CVE-2023-46805 is an authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure. It could allow a remote attacker to access restricted resources by bypassing control checks.

Ivanti recommends that affected customers “immediately take action to ensure you are fully protected.” 

Exploitation in the Wild

On January 10, 2024, Volexity reported an active exploitation of these vulnerabilities, which allowed for unauthenticated remote code execution against vulnerable devices. The two vulnerabilities were combined to create an attack chain that was then leveraged by the threat actor to steal configuration data, modify files, download remote files and create a reverse tunnel from the device. These findings further increase the urgency for carrying out the recommendations listed below.

Detecting Exploitation

If a vulnerable device is identified within your environment, it is recommended to conduct threat hunting against known activity surrounding the exploitation of this attack chain. The following have been noted as actions that can be carried out to detect potential suspicious activity surrounding this threat:

• Identify logs being wiped or disabled (where previously enabled).
• Identify suspicious connections from the vulnerable device to internal systems. This could include RDP, SSH or SMB connections, or port scanning against internal host from the device.
• Analyze unauthenticated request logs, if available. Examine requests that are not commonly seen can be a potential indicator of compromise. There have been observations that the threat actor accessed files to be exfiltrated in the “/dana-na/help/” directory.
• Seek to locate any new or mismatching files using the Ivanti Connect Secure Integrity Check Tool for assistance.

Note: Ivanti released an additional security advisory following an investigation into vulnerabilities reported on January 10, 2024. Two vulnerabilities have been identified in Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA. The vulnerabilities identified are being tracked as CVE-2024-21888, which carries a CVSS Score of 8.8, and CVE-2024-21893, which carries a CVSS score of 8.2.

CVE-2024-21888 (CVSS: 8.8)

CVE-2024-21888 is a privilege escalation vulnerability that has been discovered in the web component of Ivanti Connect Secure and Ivanti Policy Secure. This vulnerability impacts versions 9.x and versions 22.x. Exploiting this vulnerability successfully enables a user to elevate their privileges to those of an administrator.

CVE-2024-21893 (CVSS: 8.2)

A server-side request forgery vulnerability, denoted as CVE-2024-21893, has been uncovered in the SAML component of Ivanti Connect Secure and Ivanti Policy Secure. This vulnerability impacts versions 9.x and 22.x. The vulnerability has been identified in Ivanti Neurons for ZTA. Exploiting this vulnerability successfully allows an attacker to access certain restricted resources without authentication.

In their advisory, Ivanti further mentions that CVE-2024-21893 has been exploited in the wild and appears to have been targeted by threat actors. Ivanti expects the threat actors will "change their behavior” and that there will be “a sharp increase in exploitation once this information is public."

Mitigations for CVE-2024-21888 and CVE-2024-21893

For those unable to install patches immediately, Ivanti released a workaround to mitigate the vulnerability until patches can be installed. The vulnerability can be mitigated by importing the"mitigation.release.20240126.5.xml" file via the Ivanti download portal.

Ivanti further states that customers should stop pushing configurations to appliances with the XML in place, and not resume pushing configurations until the appliance is patched. They also recommend installing patches, with patches being made available for Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1) and ZTA version 22.6R1.3. Additionally, run Ivanti’s external integrity checker (ICT) to check if you have been compromised.

When the configuration is pushed to the appliance, it stops some key web services from functioning and stops the mitigation from functioning. This only applies to customers who push configurations to appliances, including configuration pushes through Pulse One or nSA. This can occur regardless of a full or partial configuration push.

Below are some key recommendations from Kroll’s CTI team:

• Apply relevant workarounds immediately, as detailed in the Ivanti KB.
• Apply patching when this becomes available. Further information on this timeline can be found in the Ivanti KB Patching Table.
• Implement workarounds immediately.
• Conduct threat hunting on any identified, vulnerable devices, as detailed above.