Alert - Ivanti Connect Secure and Ivanti Policy Secure gateways zero-day vulnerabilities – Update 2

Number: AL24-001
Date: January 31, 2024

Audience

This Alert is intended for IT professionals and managers.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Details

On January 10, 2024, the Cyber Centre was made aware of an authentication bypass vulnerability (CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887) impacting Ivanti Connect Secure (ICS), formerly known as Pulse Connect Secure, and Ivanti Policy Secure (IPS) gateways. Ivanti published a security advisory to highlight these vulnerabilitiesFootnote 1. These vulnerabilities impact all supported versions of the software – versions 9.x and 22.x. To highlight the vulnerabilities, the Cyber Centre released an advisory on January 10, 2024Footnote 2.

As of January 10, Ivanti has stated that patches are still under active development and are not ready for distribution. Ivanti has released mitigation steps to address these vulnerabilities. Ivanti also suggests monitoring their Knowledge Base article for patch availability updates related to support versions of Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS), as they become availableFootnote 3.

Ivanti has reported that they are aware of exploitation and have observed evidence of threat actors attempting to manipulate Ivanti’s internal integrity checker tool (ICT) which is used to ensure filesystem integrity.

Volexity has published a report with an incident summary and indicators of compromise for activity related to these vulnerabilitiesFootnote 4.

Update 1

On January 15, 2024, Volexity published a report indicating that widespread exploitation has been detectedFootnote 5.

The Cyber Centre is aware of proof-of-concept code available in open source.

On January 16, 2024, Ivanti published new guidance related to recovering from exploitation of these vulnerabilitiesFootnote 6.

Any organizations with continued external facing access to the vulnerable services should assume full device compromise.

Update 2

On January 31, 2024, Ivanti updated their security advisory to indicate the release of patches for the authentication bypass (CVE-2023-46805) and command injection (CVE-2024-21887) vulnerabilities impacting Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) gatewaysFootnote 1.

Ivanti also disclosed two additional vulnerabilities affecting their Connect Secure, Policy Secure, and Neurons for ZTA productsFootnote 8. A privilege escalation (CVE-2024-21888) allows a server-side request forgery (CVE-2024-21893) in the SAML component and allows a threat actor to access certain restricted resources without authentication. Fixes for these new vulnerabilities are also included in the recently published patches along with new mitigation advice for supported versions where a patch has not been providedFootnote 3 The Cyber Centre has released a security advisory to highlight these additional vulnerabilitiesFootnote 9.

On January 31, 2024, Mandiant published a blog detailing additional tactics, techniques, and procedures (TTPs) detailing post-exploitation activity and have published indicators of compromise and signatures to aid in the detection of compromiseFootnote 10.

Suggested actions

The Cyber Centre strongly recommends that:

  • Any organizations using Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) gateways review the Ivanti KB article for mitigation steps and patching information.
  • Organizations review and implement the Cyber Centre’s Top 10 IT Security ActionsFootnote 7 with an emphasis on the following topics:
    • Consolidating, monitoring, and defending Internet gateways.
    • Patching operating systems and applications.
    • Segmenting and separating information.
    • Protecting information at the enterprise level.
  • The ICT is a snapshot of the current state of the appliance and cannot necessarily detect threat actor activity if they have returned the appliance to a clean state. The ICT does not scan for malware or other Indicators of Compromise. Ivanti recommends as a best practice for customers to always run the ICT in conjunction with continuous monitoring. To avoid malicious activity resulting from manipulation of results from the internal ICT Ivanti recommends that all customers instead run the external ICT.

If activity matching the content of this alert is discovered, recipients are encouraged to report via the My Cyber Portal, or email contact@cyber.gc.ca.

Partner Reporting

ACSC - Critical vulnerabilities in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS)

CISA - Ivanti Releases Security Update for Connect Secure and Policy Secure Gateways

CERTNZ - Vulnerabilities in Ivanti Connect gateways actively exploited

NCSC-NZ - Cyber Security Alert: CVEs affecting Ivanti Connect Secure

NCSC-UK - Exploitation of vulnerabilities affecting Ivanti Connect Secure and Ivanti Policy Secure

Date modified: