Ivanti has recently disclosed two critical zero-day vulnerabilities in their Connect Secure and Policy Secure gateways [5]. These vulnerabilities are being actively exploited by suspected state-linked hackers, posing a significant risk to federal enterprises [10]. In this article, we will provide a detailed description of the vulnerabilities and the actions being taken to mitigate the threat.
Description
Ivanti has identified two vulnerabilities [5], known as CVE-202346805 and CVE-202421887 [7] [8] [10], which allow for unauthenticated remote code execution [4] [7] [8] [9]. The first vulnerability, CVE-202346805 [1] [3] [4] [5] [6] [7] [8] [9] [10], enables remote attackers to bypass two-factor authentication and gain access to restricted resources. The second vulnerability, CVE-202421887 [1] [3] [4] [5] [6] [7] [8] [9] [10], allows authenticated attackers with administrative privileges to execute arbitrary code within targeted networks [5].
The attacks involving these vulnerabilities began on December 3, 2023, and were part of a chained attack for unauthenticated remote code execution [9]. The attackers downloaded remote files, stole configuration data [10], and modified existing files [10]. They also implanted the GLASSTOKEN webshell. Ivanti is currently working with Mandiant to mitigate the threat and is releasing patches under a staggered schedule starting the week of January 22 [10], with the final version ready by the week of February 19 [10].
Security researcher Kevin Beaumont has identified approximately 15,000 affected Ivanti appliances worldwide that are exposed to the internet [2] [7]. These vulnerabilities have been added to the US Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerability Catalog [10], further highlighting the severity of the issue.
It is unclear if any data exfiltration has occurred as a result of these attacks [7]. However, organizations are urged to follow Ivanti’s mitigation guidance [7], and the US cybersecurity agency CISA has advised immediate mitigation of the vulnerabilities [7]. These attacks serve as a reminder of the importance of promptly patching systems and enhancing security measures to protect against such threats.
According to Volexity research [8], Chinese nation-state actors are actively exploiting these two zero-day vulnerabilities in Ivanti VPN services [8]. Ivanti has released mitigation steps while working on a complete patch [8], including an XML file to degrade certain features and an external integrity checker tool [8]. The affected devices are Ivanti Connect Secure and Ivanti Policy Secure, and patches are scheduled for release in January and February [8].
CISA has urged enterprises to address these vulnerabilities promptly [3], as they have been added to their Known Exploited Vulnerabilities catalog. The vulnerabilities include an authentication bypass flaw (CVE-202346805) in Ivanti Policy Secure and a command injection flaw (CVE-202421887) in Ivanti Connect Secure (ICS) versions 9.x and 22.x [3].
Volexity discovered that a Chinese nation-state actor known as UTA0178 exploited these vulnerabilities for unauthenticated remote code execution and performed various malicious activities [3]. Ivanti is aware of less than 10 impacted customers [3], and patches are not yet available [3]. Mitigations and workarounds are currently available [3], but the first round of patches will be released in late January [3], with the final version available in February [3].
Conclusion
The disclosure of these critical zero-day vulnerabilities in Ivanti’s Connect Secure and Policy Secure gateways has raised concerns about the security of federal enterprises. The active exploitation by suspected state-linked hackers highlights the need for organizations to promptly address these vulnerabilities. Ivanti is working diligently to release patches and provide mitigation steps, but it is crucial for enterprises to take immediate action to protect their systems. This incident serves as a reminder of the ongoing threats and the importance of maintaining robust security measures.
References
[1] https://www.techradar.com/pro/security/ivanti-warns-connect-secure-zero-days-exploited-by-hackers
[2] https://arstechnica.com/security/2024/01/actively-exploited-0-days-in-ivanti-vpn-are-letting-hackers-backdoor-networks/
[3] https://www.techtarget.com/searchSecurity/news/366565999/Ivanti-confirms-2-zero-day-vulnerabilities-are-under-attack
[4] https://www.crn.com/news/security/2024/ivanti-reports-exploitation-of-two-zero-day-vpn-flaws
[5] https://digital.nhs.uk/cyber-alerts/2024/cc-4432
[6] https://www.infosecurity-magazine.com/news/two-ivanti-zerodays-actively/
[7] https://techcrunch.com/2024/01/11/ivanti-connect-vpn-zero-days-china-backed-hackers/
[8] https://www.csoonline.com/article/1290205/chinese-hackers-exploit-ivanti-vpn-zero-days-for-rce-attacks.html
[9] https://www.tenable.com/blog/cve-2023-46805-cve-2024-21887-zero-day-vulnerabilities-exploited-in-ivanti-connect-secure-and
[10] https://www.cybersecuritydive.com/news/ivanti-connect-secure-active-exploitation/704334/