Ivanti, a software vendor, has released patches for two critical zero-day vulnerabilities that were disclosed at the beginning of the year. Although these patches have been issued, the company has also warned customers about new zero-day flaws, including one that is currently being exploited in the wild. In a security advisory released on Jan. 10, Ivanti detailed two zero-day remote code execution vulnerabilities tracked as CVE-2023-46805 and CVE-2024-21887 that affected Ivanti Policy Secure (IPS) and Ivanti Connect Secure (ICS).
One week later, Volexity, which is credited with discovering the vulnerabilities, confirmed that 1,700 devices worldwide had been compromised since early December, with Mandiant also investigating the exploitation activity. Both Volexity and Mandiant attributed the attacks to a Chinese nation-state threat actor, and it was revealed that the threat actor deployed web shells to maintain persistent access on vulnerable ICS devices, making mitigation even more difficult.
While Ivanti announced the first round of fixes for CVE-2023-46805 and CVE-2024-21887 recently, the software vendor also disclosed two new bugs in ICS and IPS. One is a privilege escalation vulnerability tracked as CVE-2024-21888, and the other is a server-side request forgery flaw assigned to CVE-2024-21893, which Ivanti warned is a zero-day vulnerability under active exploitation. Ivanti noted that exploitation of CVE-2024-21893 appears to be targeted at the moment but expects a sharp increase once the information becomes public.
Ivanti also revealed that the exploitation of CVE-2024-21888 is currently not evident and released a fix for all four vulnerabilities for certain ICS versions on Jan. 31. The company is recommending that customers factory reset their appliance before applying the patch as a best practice to prevent the threat actor from gaining upgrade persistence in the environment. However, due to the complex nature of the patching process, the company has pushed back the release date of the patch for the previous zero-day vulnerabilities that was originally scheduled for the week of Jan. 22.
In a statement to similar publication- TechTarget, Ivanti assured customers of its commitment to their security and urged them to apply the patch for their version as it becomes available, along with applying the new mitigation and running the internal and external ICT. The alert urged Ivanti customers to apply patches and mitigations as soon as they become available because of ongoing exploitation and danger to credentials and additional compromise in victim networks. It was also mentioned that some threat actor had exploited the vulnerabilities to exploit weaknesses, move laterally, and escalate privileges without detection. The ICT helps detect threat activity, and Ivanti added a new functionality that it urged users to run. CISA recommended that organizations that have run ICS 9.x and 22.x versions and Policy Secure gateways since public disclosure implement “continuous threat hunting on any systems connected to — or recently connected to — the Ivanti device.”
The alert also specified that the ED is required for federal agencies to mitigate the recently discovered vulnerabilities related to Ivanti. CISA observed widespread exploitation of the Ivanti flaws and the exploitation could result in a full system compromise. The company faced similar issues in the past, and it was mentioned in the article that in 2021, Chinese hackers exploited an authentication bypass vulnerability in Ivanti against government targets. The blog also warned that Pulse Connect Secure has been a popular target for ransomware groups and other nation-state threat actors. They listed eight vulnerabilities that were exploited against the VPN products over the past five years.
Referring to the pandemic ransomware and malware attacks over the years, Tenable research engineers Scott Caveza and Satnam Narang released the name of potential vulnerabilities including the Pulse Secure VPN and warned users in general to be more cautious online. Overall, the company has been upfront about the issues and required patches to be in place, to ensure that clients and the company are not vulnerable to attacks.