In January, Ivanti alerted customers that hackers were exploiting two zero-day vulnerabilities in its Ivanti Connect Secure and Ivanti Policy Secure. This week the company revealed that two other vulnerabilities were discovered in the meantime, with one already being exploited in targeted attacks.
Even though patches are now available for all four vulnerabilities, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a directive to all federal agencies to disconnect the impacted Ivanti products from their networks by end of Friday, February 2, and perform additional forensic analysis and clean-up steps in case they’ve already been compromised.
“As soon as possible and no later than 11:59 p.m. on Friday February 2, 2024, disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks,” CISA said in its emergency directive. “Continue threat hunting on any systems connected to — or recently connected to — the affected Ivanti device. Monitor the authentication or identity management services that could be exposed. Isolate the systems from any enterprise resources to the greatest degree possible. Continue to audit privilege level access accounts.”
While CISA only has authority over government agencies, private organizations should probably follow the same recommendations to ensure that hackers no longer have access to their networks if their Ivanti instances have been compromised.
Two Ivanti vulnerabilities turned into four
This new directive, published on January 31, supersedes the one issued on January 19 that only required agencies to deploy the temporary mitigation released by Ivanti for the CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection) vulnerabilities announced on January 10. Those two vulnerabilities were originally identified in the wild being exploited as zero-days by Chinese nation-state actors.
Following Ivanti’s announcement on January 10, multiple groups started exploiting the vulnerabilities with at least 1,700 devices being compromised. There were also reports that some attackers might have bypassed the mitigations and were able to evade the internal Integrity Checker Tool that could be used to determine if a system had been backdoored. Ivanti responded by releasing an external Integrity Checker Tool.
However, on January 31 Ivanti disclosed two more vulnerabilities that were discovered while investigating the previous two flaws: a privilege escalation vulnerability tracked as (CVE-2024-21888) and a server-side request forgery in the SAML component (CVE-2024-21893). The latter can allow attackers to access restricted resources without authentication and was also exploited as a zero-day.
“At the time of publication, the exploitation of CVE-2024-21893 appears to be targeted,” the company said in its updated knowledge base article. “Ivanti expects the threat actor to change their behavior and we expect a sharp increase in exploitation once this information is public — similar to what we observed on 11 January following the 10 January disclosure.”
Additional steps to mitigate risk from Ivanti vulnerabilities required
As of February 1, fixed versions are available for all impacted products. However, CISA is asking agencies to export their configuration, rebuild the affected devices by performing a factory reset and updating the firmware and then importing the configuration back, and remove the previously applied mitigation xml file.
It’s also important to revoke and reissue any potentially exposed certificates, keys, and passwords, including the admin enable password, the stored application programming interface (API) keys, the passwords of any local user defined on the gateway, including service accounts used for auth server configuration.
Domain accounts associated with the affected products might also have been compromised, so agencies should reset the passwords for on premise accounts and revoke Kerberos tickets as well as any tokens for cloud accounts in hybrid deployments. The device tokens of cloud-joined devices should also be reset by disabling those devices.