THE THREAT
On January 31st, 2024, Ivanti released additional information and security patches for the critical zero-day vulnerabilities CVE-2023-46805 and CVE-2024-21887.
The previously disclosed zero-day vulnerabilities are:
- CVE-2023-46805 (CVSS: 8.2) – Authentication Bypass in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure
- CVE-2024-21887 (CVSS: 9.1) – Command Injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure
If exploited together, these vulnerabilities would allow a remote and unauthenticated threat actor to craft malicious requests and execute arbitrary commands on the system. As the first round of security patches to address these vulnerabilities has now been released, it is critical that organizations apply them immediately. Outstanding versions are expected to receive security patches between late January and February 26, 2024.
Notably, Ivanti states that there is evidence that threat actors are manipulating Ivanti’s Internal Integrity Checker Tool (ICT) to avoid detection, as well as bypassing the initial mitigations. Organizations utilizing the impacted products are heavily encouraged to continuously monitor for signs of compromise and apply new mitigations or patches if available.
eSentire has observed exploitation of CVE-2024-21887. The eSentire Threat Intelligence team is actively investigating these vulnerabilities and real-world attacks to develop new detections.
What we’re doing about it
- eSentire MDR for Network has detections in place for CVE-2023-46805 and CVE-2024-21887
- eSentire Managed Vulnerability Service (MVS) has plugins in place to identify both CVE-2023-46805 and CVE-2024-21887
- eSentire is performing threat hunts across the client base to identify signs of compromise
- IP addresses associated with real-world exploitation are blocked via the eSentire Global Block List
- The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities
- eSentire released an initial advisory on this topic on January 11th, 2024
What you should do about it
- Review environments for signs of compromise via:
- Review your IT environment for anomalous traffic from VPN appliances
- Review VPN device logs
- Review authentication and identity management services
- If signs of compromise are identified, organizations will be required to reset passwords, change secrets, and perform in-depth investigations to ensure all persistence mechanisms are removed
- After performing a business review, apply the relevant security patches upon their release
- Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1) and ZTA version 22.6R1.3 was released January 31st
- Monitor this KB page for release updates for other versions and additional guidance
Additional information
Exploitation of CVE-2023-46805 and CVE-2024-21887 was initially limited to a single advanced threat actor group, but exploitation has since transitioned to widespread attacks by various groups. This is in line with the eSentire Threat Intelligence team’s assessment made in the January 11th eSentire advisory. It should be noted that some of these threat actors also appear to have the technical capabilities to locate and utilize bypasses for the previously recommended mitigations and detection methods.
Ivanti’s release of security patches today (January 31st) comes simultaneously with the announcement of additional vulnerabilities in the Connect Secure and Policy Secure products (CVE-2024-21888 and CVE-2024-21893).
In Ivanti’s KB notes, there is the mention of cases involving threat actors manipulating the Internal Integrity Checker Tool (ICT) and Ivanti recommends that the External ICT be used instead; however CISA has stated in their blog post from January 30th, that threat actors have subverted the External ICT as well, likely through restoration of the infected device to a clean state following deployment of a webshell. It is possible CISA’s statement may be on an older version of the External ICT.
References:
[1] https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
[2] https://www.cisa.gov/news-events/alerts/2024/01/30/new-mitigations-defend-against-exploitation-ivanti-connect-secure-and-policy-secure-gateways
[3] https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation
[4] https://www.esentire.com/security-advisories/ivanti-zero-day-vulnerabilities-cve-2023-46805-and-cve-2024-21887
[5] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46805
[6] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21887
[7] https://www.ivanti.com/blog/security-update-for-ivanti-connect-secure-and-ivanti-policy-secure-gateways
