The US Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 24-01 [1] [2] [3] [4] [5] [6] [7] [8] [10], requiring all civilian federal agencies to immediately implement vendor-published mitigation guidance for Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) solutions [6]. This directive aims to address vulnerabilities in these solutions that have been actively exploited by multiple threat actors.
Description
The vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure [1] [2] [4] [5] [7] [8] [9] [10], known as an authentication bypass (CVE-2023-46805) and a code injection bug (CVE-2024-21887) [2] [7], allow for unauthorized access [2], data exfiltration [2] [3] [5] [10], and the establishment of persistent system access [1]. These vulnerabilities have been actively exploited since January 11, resulting in over 1700 compromised devices. To mitigate these risks [9], Ivanti is releasing patches and a temporary mitigation in the form of an XML file, which impacted organizations are urged to implement immediately [9]. CISA recommends using Ivanti’s External Integrity Checker Tool to detect any indications of compromise [2] [9] [10]. If compromise is detected [2], agencies should report it to CISA and take further steps to remove and restore the affected products [2]. Additionally, agencies are required to provide a complete inventory of all instances of Ivanti Connect Secure and Ivanti Policy Secure products within one week [2]. CISA will provide a report on the status and outstanding issues by June 1, 2024 [2].
Conclusion
The directive was issued in response to widespread attacks against the Ivanti Connect Secure VPN system, with thousands of devices compromised [3]. Private-sector organizations are also urged to take the threat seriously [3]. Ivanti is expected to release an update soon to address the vulnerabilities [7]. Cybersecurity firms Volexity and Mandiant have observed attacks using these vulnerabilities to deploy web shells and passive backdoors for persistent access [7]. It is estimated that around 2,100 devices worldwide have been compromised so far [7]. The immediate implementation of the vendor-published mitigation guidance and the cooperation of all agencies are crucial in mitigating the risks and preventing further compromises.
References
[1] https://www.bankinfosecurity.com/cisa-directs-agencies-to-mitigate-ivanti-zero-day-exploits-a-24147
[2] https://www.cisa.gov/news-events/directives/ed-24-01-mitigate-ivanti-connect-secure-and-ivanti-policy-secure-vulnerabilities
[3] https://www.crn.com/news/security/2024/cisa-orders-emergency-response-amid-ivanti-vpn-attacks
[4] https://www.techradar.com/pro/security/cisa-is-now-warning-government-agencies-to-patch-ivanti-flaws-immediately
[5] https://www.cybersecuritydive.com/news/cisa-emergency-federal-agencies-ivanti/705103/
[6] https://www.icba.org/newsroom/news-and-articles/2024/01/22/cisa-issues-emergency-directive-on-ivanti-vulnerabilities
[7] https://thehackernews.com/2024/01/cisa-issues-emergency-directive-to.html
[8] https://insidecybersecurity.com/daily-news/cisa-issues-emergency-directive-agencies-address-ivanti-software-vulnerabilities-federal
[9] https://www.infosecurity-magazine.com/news/cisa-emergency-directive-action/
[10] https://federalnewsnetwork.com/cybersecurity/2024/01/cisa-mandates-agencies-close-2-cyber-vulnerabilities-immediately/