CISA Alert Highlights for February 6, 2024
How are Vulnerabilities Rated?
This emergency directive focuses on the Ivanti vulnerabilities that have been recently released by CISA in conjunction with the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). These product vulnerabilities, including Ivanti Connect Secure and Ivanti Policy Secure Gateways have been rated as high-risk per the criteria listed below.
These vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
CISA Ivanti Emergency Directive
UPDATE: 2 February 2024
CISA issues an Emergency Directive that orders any federal agency utilizing Ivanti Connect Secure or Ivanti Policy Secure devices to disconnect them from their networks before midnight on Friday, February 2, 2024 as these devices are being targeted by cyberattacks linked to China.
UPDATE: 31 January 2024
There have been reports that threat actors have developed workarounds to the current mitigation and detection methods, leading to reported ongoing exploitation activity.
CISA strongly advises organizations operating vulnerable Ivanti Connect Secure and Ivanti Policy Secure products to conduct investigation and monitoring for potential compromise of systems. CISA recommends organizations monitor authentication, account usage and identity management services, and consider isolating systems from any enterprise resources as much as possible.
UPDATE: 24 January 2024
Ivanti has updated their mitigation advice warning Administrators to not push new device configurations to appliances after applying mitigations.
KB CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways
- Ivanti advises customers not to push other configurations to appliances with the mitigation XML in place, until Ivanti releases a complete patch and it is applied.
- When an alternative configuration is pushed to the appliance, it may prevent the mitigation from functioning.
- This applies to customers who push configurations to appliances, including configuration pushes through Pulse One or nSA.
- This can occur regardless of a full or partial configuration push.
POSTED: 11 January 2024
This Critical Alert is affects Australians who are running or administering instances of Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS). These vulnerabilities impact all supported versions – Version 9.x and 22.x.
Organizations are encouraged to apply any available mitigations and patches as soon as possible.
Background / What happened?
- Ivanti has released security advisories and mitigations for 2 critical vulnerabilities in the Ivanti Connect Secure and Ivanti Policy Secure gateways.
- CVE-2023-46085: This is an authentication bypass vulnerability in the web component of ICS (9.x, 22.x) and IPS and allows a remote attacker to access restricted resources by bypassing control checks.
- CVE-2024-21887: This is a command injection vulnerability in web components of ICS (9.x, 22.x) and IPS and allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
• Ivanti is aware of active exploitation of these vulnerabilities.
Mitigation / How do I stay secure?
Organizations that use Ivanti Connect Secure and/or Ivanti Policy Secure should follow the mitigations advice provided in the Ivanti Security Advisory below:
Assistance / Where can I go for help?
Organizations or individuals that have been impacted or require assistance can contact the Spry Cyber team at Spry Squared at 720.724.7730.
Learn more here: Critical vulnerabilities in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS)
