Threat actors have exploited multiple vulnerabilities in Ivanti enterprise VPNs, posing a significant risk to organizations globally.
Description
Threat actors have exploited multiple vulnerabilities in Ivanti enterprise VPNs, including CVE-202422024 [1], CVE-202346805 [1], CVE-202421887 [1] [5], CVE-202421893 [1] [5], and CVE-202421888 [1] [5], to deploy a backdoor named ‘DSLog’ [3]. These vulnerabilities range from high to critical severity and involve authentication bypass [1], server-side-request forgery [1] [4], arbitrary command execution [1] [4], and command injection problems [1] [4]. The Server-Side Request Forgery (SSRF) exploit allows unauthorized access to restricted resources on Ivanti gateways running versions 9x and 22x [3]. The backdoor [3], operating surreptitiously within Ivanti devices [3], enables remote command execution and evasion of detection. Some of these vulnerabilities have been exploited by nation-state actors and are now being leveraged by a broader range of threat actors [1]. Despite Ivanti denying exploitation of these vulnerabilities, Akamai has observed malicious activity targeting them [5]. Patch adoption rates for these vulnerabilities remain low, leaving thousands of vulnerable endpoints globally [4], especially in the United States [4]. Yutaka Sejiyama’s research shows that as of February 15, 2024 [1], over half of the 24,239 internet-exposed Ivanti servers remain unpatched for multiple vulnerabilities [1], leaving them exposed to potential attacks [1]. Ivanti has released patches for these vulnerabilities and revealed two new bugs [5]. Concerns have been raised over legacy software running in critical infrastructure [5], with Ivanti denying claims of a CISA takedown requirement for its products [5]. The rapid disclosure of vulnerabilities has heightened the risk of prolonged exposure to exploitation [4], emphasizing the need for immediate action and proactive security measures to defend against evolving cyber threats [4]. The presence of details related to the exploit in Russian underground marketplaces highlights the need for heightened vigilance and collaborative efforts in combating cyber threats globally [3]. Cybersecurity researcher Jake Williams sees Ivanti’s vulnerabilities and slow incident response as an existential threat to the business [2], attributing the current problems to neglect of secure coding and security testing [2]. Williams doubts Ivanti’s ability to recover and survive as an enterprise firewall brand [2]. Enterprise cyber teams are advised to disconnect Ivanti VPN appliances and update before reconnecting or replace them altogether with fully updated gear [2]. Some experts suggest that sticking with Ivanti may not be worth the risk [2], emphasizing the need for serious software engineering to address the threat [2].
Conclusion
The exploitation of vulnerabilities in Ivanti enterprise VPNs poses serious risks to organizations, highlighting the importance of prompt patching and proactive security measures. The slow response to incidents and the presence of details in underground marketplaces underscore the need for heightened vigilance and collaborative efforts in combating cyber threats. Organizations are advised to take immediate action to mitigate risks and protect against evolving threats.
References
[1] https://www.redpacketsecurity.com/over-13-000-ivanti-gateways-vulnerable-to-actively-exploited-bugs/
[2] https://www.darkreading.com/cybersecurity-operations/ciso-corner-cio-convergence-critical-security-metrics-ivanti-fallout
[3] https://foresiet.com/blog/spotting-the-dslog-backdoor-ivanti-0day-vulnerability-check
[4] https://www.techtimes.com/articles/301727/20240216/ivanti-firmware-appears-vulnerable-multiple-security-flaws-heres-alarming-part.htm
[5] https://www.infosecurity-magazine.com/news/new-ivanti-vulnerability-security/
