Security Advisory: Critical Vulnerabilities in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS)

Critical Vulnerabilities in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS)

OVERVIEW

On January 11th, 2024, CTRL Cybersecurity issued a security advisory regarding two high-severity vulnerabilities in Ivanti Connect Secure VPN and Policy Secure products, identified as CVE-2023-46805 and CVE-2024-21887. These vulnerabilities pose a significant threat as they enable unauthenticated remote code execution on all supported versions of these products.

DETAILS OF VULNERABILITIES

  1. CVE-2023-46805 (CVSS Score 8.2): This vulnerability is an authentication bypass exploit in the web component of Secure Connect. It could potentially allow remote attackers to access restricted resources by circumventing control checks.
  2. CVE-2024-21887 (CVSS Score 9.1): A command injection vulnerability, this flaw allows authenticated users to execute arbitrary commands on affected devices using specially crafted requests.

CURRENT THREAT LANDSCAPE

As of the latest update on January 31, 2024, the Australian Cyber Security Centre (ACSC) has reported that threat actors have developed methods to circumvent current mitigation and detection techniques, leading to ongoing exploitation activities.

The ACSC strongly advises organizations using vulnerable Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products to urgently conduct investigations and monitoring for potential system compromises. They recommend heightened monitoring of authentication, account usage, identity management services, and considering isolating systems as much as possible from enterprise resources.

AFFECTED DEVICES

  • CVE-2023-46805 impacts all supported versions of ICS (9.x, 22.x) and IPS.
  • CVE-2024-21887 affects the same versions of ICS and IPS.

RECOMMENDED REMEDIATIONS

CTRL recommend the following:

  • Apply the patch that is available via the standard download portal for Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1) and ZTA version 22.6R1.3.
  • If you have not applied the patch, apply the new mitigation that Ivanti has released to address additional vulnerabilities while the rest of the patches are in development.
  • Do not push any new configurations to the devices until the patch is available.
  • Investigate and monitor your devices for potential compromise or malicious activity.
  • Contact Ivanti Support or the Australian Cyber Security Centre for assistance if needed.

Source 1Source 2

preloader