Alert - Ivanti Connect Secure and Ivanti Policy Secure gateways zero-day vulnerabilities – Update 2

Audience

This Alert is intended for IT professionals and managers.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat Cyber threatA threat actor, using the internet, who takes advantage of a known vulnerability in a product for the purposes of exploiting a network and the information the network carries. that may impact cyber information assets, and to provide additional detection DetectionThe monitoring and analyzing of system events in order to identify unauthorized attempts to access system resources. and mitigation advice to recipients. The Canadian Centre for Cyber Security Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Details

On January 10, 2024, the Cyber Centre was made aware of an authentication AuthenticationA process or measure used to verify a users identity. bypass vulnerability VulnerabilityA flaw or weakness in the design or implementation of an information system or its environment that could be exploited to adversely affect an organization's assets or operations. (CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887) impacting Ivanti Connect Secure (ICS), formerly known as Pulse Connect Secure, and Ivanti Policy Secure (IPS) gateways. Ivanti published a security advisory to highlight these vulnerabilities^{Footnote 1}. These vulnerabilities impact all supported versions of the software – versions 9.x and 22.x. To highlight the vulnerabilities, the Cyber Centre released an advisory on January 10, 2024^{Footnote 2}.

As of January 10, Ivanti has stated that patches are still under active development and are not ready for distribution. Ivanti has released mitigation steps to address these vulnerabilities. Ivanti also suggests monitoring their Knowledge Base article for patch availability AvailabilityThe ability for the right people to access the right information or systems when needed. Availability is applied to information assets, software, and hardware (infrastructure and its components). Implied in its definition is that availability includes the protection of assets from unauthorized access and compromise. updates related to support versions of Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS), as they become available^{Footnote 3}.

Ivanti has reported that they are aware of exploitation and have observed evidence of threat actors attempting to manipulate Ivanti’s internal integrity IntegrityThe ability to protect information from being modified or deleted unintentionally or when it’s not supposed to be. Integrity helps determine that information is what it claims to be. Integrity also applies to business processes, software application logic, hardware, and personnel. checker tool (ICT) which is used to ensure filesystem integrity.

Volexity has published a report with an incident summary and indicators of compromise CompromiseThe intentional or unintentional disclosure of information, which adversely impacts its confidentiality, integrity, or availability. for activity related to these vulnerabilities^{Footnote 4}.

Update 1

On January 15, 2024, Volexity published a report indicating that widespread exploitation has been detected^{Footnote 5}.

The Cyber Centre is aware of proof-of-concept code available in open source.

On January 16, 2024, Ivanti published new guidance related to recovering from exploitation of these vulnerabilities^{Footnote 6}.

Any organizations with continued external facing access to the vulnerable services should assume full device compromise.

Update 2

On January 31, 2024, Ivanti updated their security advisory to indicate the release of patches for the authentication bypass (CVE-2023-46805) and command injection (CVE-2024-21887) vulnerabilities impacting Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) gateways^{Footnote 1}.

Ivanti also disclosed two additional vulnerabilities affecting their Connect Secure, Policy Secure, and Neurons for ZTA products^{Footnote 8}. A privilege escalation (CVE-2024-21888) allows a server-side request forgery (CVE-2024-21893) in the SAML component and allows a threat actor to access certain restricted resources without authentication. Fixes for these new vulnerabilities are also included in the recently published patches along with new mitigation advice for supported versions where a patch has not been provided^{Footnote 3} The Cyber Centre has released a security advisory to highlight these additional vulnerabilities^{Footnote 9}.

On January 31, 2024, Mandiant published a blog detailing additional tactics, techniques, and procedures (TTPs) detailing post-exploitation activity and have published indicators of compromise and signatures to aid in the detection of compromise^{Footnote 10}.

Suggested actions

The Cyber Centre strongly recommends that:

• Any organizations using Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) gateways review the Ivanti KB article for mitigation steps and patching information.
• Organizations review and implement the Cyber Centre’s Top 10 IT Security Actions^{Footnote 7} with an emphasis on the following topics:
  • Consolidating, monitoring, and defending Internet gateways.
  • Patching operating systems and applications.
  • Segmenting and separating information.
  • Protecting information at the enterprise level.
• The ICT is a snapshot of the current state of the appliance and cannot necessarily detect threat actor activity if they have returned the appliance to a clean state. The ICT does not scan for malware or other Indicators of Compromise. Ivanti recommends as a best practice for customers to always run the ICT in conjunction with continuous monitoring. To avoid malicious activity resulting from manipulation of results from the internal ICT Ivanti recommends that all customers instead run the external ICT.

If activity matching the content of this alert is discovered, recipients are encouraged to report via the My Cyber Portal, or email contact@cyber.gc.ca.

Partner Reporting

ACSC - Critical vulnerabilities in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS)

CISA - Ivanti Releases Security Update for Connect Secure and Policy Secure Gateways

CERTNZ - Vulnerabilities in Ivanti Connect gateways actively exploited

NCSC-NZ - Cyber Security Alert: CVEs affecting Ivanti Connect Secure

NCSC-UK - Exploitation of vulnerabilities affecting Ivanti Connect Secure and Ivanti Policy Secure