Two weeks ago Ivanti appliances came under mass exploitation – with attackers hitting an unpatched brace of bugs that give an unauthenticated remote attacker remote code execution and for which MFA is no help.
The vulns, CVE-2023-46805 and CVE-2024-21887, affect all supported versions of Ivanti Connect Secure and Ivanti Policy Secure gateways. When The Stack published, 17,000 were exposed and 1,500 already hit.
Ivanti took weeks to patch: Fixes only started dribbling in this week.
Mass attacks appear to have started on January 11: “Victims are globally distributed and vary greatly in size, from small businesses to some of the largest organizations in the world, including multiple Fortune 500 companies across multiple industry verticals” Volexity said at the time.
Now there’s MORE: New Ivanti bug exploited
Now ANOTHER Ivanti CVE-2024-21893, is being exploited in the wild, it’s admitted – with the server-side request forgery vulnerability “in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA” letting attackers “access certain restricted resources without authentication” the company said this week.
(A further vulnerability, CVE-2024-21888, has also been disclosed.)
“At the time of publication, the exploitation of CVE-2024-21893 appears to be targeted. Ivanti expects the threat actor to change their behavior and we expect a sharp increase in exploitation once this information is public ” Ivanti said in an advisory. For more details, check forum updates.
US agency CISA has seen enough. It’s told federal agencies to unplug Ivanti products from agency networks by February 2. No ifs, no buts.
“Agencies running affected products—Ivanti Connect Secure or Ivanti Policy Secure solutions—are required to immediately perform the following tasks: As soon as possible and no later than 11:59PM on Friday February 2, 2024, disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks,” it said.
CISA added: “Threat actors are continuing to leverage vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways to capture credentials and/or drop webshells that enable further compromise of enterprise networks. Some threat actors have recently developed workarounds to current mitigations and detection methods and have been able to exploit weaknesses, move laterally, and escalate privileges without detection."
The agency noted: “CISA is aware of instances in which sophisticated threat actors have subverted the external integrity checker tool (ICT), further minimizing traces of their intrusion.
“If an organization has been running Ivanti Connect Secure (9.x and 22.x) and Policy Secure gateways over the last several weeks and/or continues to run these products, CISA recommends continuous threat hunting on any systems connected to—or recently connected to—the Ivanti device. Additionally, organizations should monitor authentication, account usage, and identity management services that could be exposed and isolate the system(s) from any enterprise resources as much as possible,” it added.
As we noted in our report on January’s mass exploitation, Ivanti's tardy response made it few friends. Offensive security firm watchTowr Labs put it crisply: "What makes this situation even more 'offensive' is Ivanti’s response (or lack of) to these vulnerabilities especially given the context - at the time of writing, a mitigation XML file is all that is available, with staggered patches available from the 22nd Jan 2024 per Ivanti. Yes, really. We’re tired of the lack of responsibility taken by organisations when their devices are the literal gate between the Internet and their internal networks and hold an incredibly critical, and sensitive position in any network architecture."
If you conceivably can, perhaps start thinking about life without VPNs: As the US Department of Defense put it last year: "VPNs pose a threat to enterprise security. They create a path in the network perimeter and provide access to network resources after authentication." Kill them.
