Pierluigi Paganini February 01, 2024

CISA is ordering federal agencies to disconnect Ivanti Connect Secure and Ivanti Policy Secure products within 48 hours.

For the first time since its establishment, CISA is ordering federal agencies to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure products within 48 hours.

The CISA’s emergency directive orders to disconnect all instances no later than 11:59PM on Friday February 2, 2024.

“As soon as possible and no later than 11:59PM on Friday February 2, 2024, disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks.” reads the directive.

The government agency recommends continuing to look for indicators of compromise on any systems connected to—or recently connected to—the affected Ivanti device.

The government experts also ordered to monitor the authentication or identity management services that could be exposed and urged to isolate the systems from any enterprise resources to the greatest degree possible. CISA also warned to continue to audit privilege-level access accounts.

“To bring a product back into service, agencies are required to perform the following actions:

1. Export configuration settings.
2. Complete a factory reset per Ivanti’s instructions.
3. Rebuild the device per Ivanti’s instructions AND upgrade to one of the following supported software versions through Ivanti’s download portal (there is no cost to upgrade): 9.1R18.3, 22.4R2.2, 22.5R1.1, 9.1R14.4, 9.1R17.2.”

IVANTI recently warned of four zero-days, three of which are actively exploited in the wild.

In early January, the software firm reported that threat actors are exploiting two zero-day vulnerabilities (CVE-2023-46805, CVE-2024-21887) in Connect Secure (ICS) and Policy Secure to remotely execute arbitrary commands on targeted gateways.

The flaw CVE-2023-46805 (CVSS score 8.2) is an Authentication Bypass issue that resides in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure. A remote attacker can trigger the vulnerability to access restricted resources by bypassing control checks.

The second flaw, tracked as CVE-2024-21887 (CVSS score 9.1) is a command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. An authenticated administrator can exploit the issue by sending specially crafted requests and execute arbitrary commands on the appliance.

An attacker can chain the two flaws to send specially crafted requests to unpatched systems and execute arbitrary commands. 

“If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system.” reads the advisory published by Ivanti.

This week Ivanti warned of two new high-severity vulnerabilities in its Connect Secure and Policy Secure solutions respectively tracked as CVE-2024-21888 (CVSS score: 8.8) and CVE-2024-21893 (CVSS score: 8.2). The software company also warned that one of these two vulnerabilities is under active exploitation in the wild.

The vulnerability CVE-2024-21888 is a privilege escalation issue that resides in the web component of Ivanti Connect Secure (9.x, 22.x) and Policy Secure (9.x, 22.x). An attacker can exploit the vulnerability to gain admin privileges.

The second flaw CVE-2024-21893 is a server-side request forgery vulnerability in the SAML component of Connect Secure (9.x, 22.x), Policy Secure (9.x, 22.x) and Neurons for ZTA. An authenticated attacker can exploit the issue to access certain restricted resources.

The company also warns that the situation is still evolving and multiple threat actors can rapidly adapat their tactics, techniques, and procedures to exploit these issues in their campaigns.

“At the time of publication, the exploitation of CVE-2024-21893 appears to be targeted. Ivanti expects the threat actor to change their behavior and we expect a sharp increase in exploitation once this information is public – similar to what we observed on 11 January following the 10 January disclosure.” reads the advisory.

“Be aware that the situation is still evolving. Ivanti will update this knowledge base article as more information becomes available.”

The software firm recommends importing the “mitigation.release.20240126.5.xml” file via the download portal as temporary workarounds to address CVE-2024-21888 and CVE-2024-21893.

Mandiant researchers recently discovered new malware employed by a China-linked APT group known as UNC5221 and other threat groups targeting Ivanti Connect Secure VPN and Policy Secure devices.

The cybersecurity firm reported that threat actors are employing the malware in post-exploitation activity, likely performed through automated methods.

Mandiant recently observed a mitigation bypass technique used to deploy a custom web shell tracked as BUSHWALK. Successful exploitation would bypass the initial mitigation provided by Ivanti on Jan. 10, 2024.

Mandiant speculates that mitigation bypass activity is highly targeted, restricted, and differs from the mass exploitation activity observed after the disclosure of the Ivanti flaws.

Other malware employed in the attack is a new variant of the LIGHTWIRE web shell, the Python web shell backdoor CHAINLINE and FRAMESTING web shell.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, IVANTI)