Enterprise IT software vendor Ivanti is calling urgent attention to two new high-severity vulnerabilities in its Connect Secure and Policy Secure VPN products, warning that one of the bugs was discovered during investigation of ongoing zero-day attacks.
The new alert comes on the same day Ivanti belatedly shipped patches for critical bugs being exploited by multiple hacking gangs and adds to the urgency for Ivanti customers to test and deploy available fixes.
After struggling to meet its own patch delivery timeline, Ivanti on Wednesday started rolling out fixes on a staggered schedule and added documentation for two new security defects.
“As part of our ongoing investigation into CVE-2023-46805 and CVE-2024-21887 we have identified additional vulnerabilities in Ivanti Connect Secure Ivanti Policy Secure, and Ivanti Neurons for ZTA,” the company warned.
Ivanti said one of the flaws allows for privilege escalation while the second is a server-side request forgery in the SAML component that allows a threat actor to access certain restricted resources without authentication.
“We are aware of a limited number of customers impacted by CVE-2024-21887,” Ivanti said.
In all, Ivanti is documenting four separate issues:
CVE-2023-46805 — An authentication bypass vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks. CVSS severity score 8.2/10. Confirmed exploited as zero-day.
CVE-2024-21887 — A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. This vulnerability can be exploited over the internet. CVSS 9.1/10. Exploitation confirmed.
CVE-2024-21888 — A privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator. CVSS 8.8/10.
CVE-2024-21893 — A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication. CVSS severity score 8.2/10. Targeted exploitation confirmed.
Digital forensics firm Volexity first spotted exploitation of these issues three weeks ago and warned that a Chinese government-backed APT hacking team had built an exploit chain to break into US organizations.
Ivanti said it was aware of “less than 20 customers” impacted by the vulnerabilities prior to public disclosure but declined to share additional victim details.
Malware hunters at Mandiant are reporting “broad exploitation activity” via automated methods and noted that hackers linked to China have been hitting these bugs as far back as December 3, 2023. SecurityWeek sources say cybercriminal groups have pounced on the public exposures to deploy cryptomers and backdoors.
The late availability of patches is also complicating deadlines set by the US government’s cybersecurity agency CISA for Federal Civilian Executive Branch (FCEB) agencies to apply available fixes, hunt for infections and share indicators of compromise.
The CISA emergency directive originally set a January 22 date for federal agencies to start deploying fixes and remove compromised products from networks. The agency also instructed infected organizations to file a report with CISA with an inventory of infected devices and details on actions taken.
Ivanti, a company that has struggled with major security problems, features prominently in the CISA KEV (Known Exploited Vulnerabilities) catalog.
Related: Ivanti Struggles to Hit Zero-Day Patch Release Timeline
Related: CISA Issues Emergency Directive on Ivanti VPN Zero-Days
Related: Volexity Catches Chinese Hackers Exploiting Ivanti VPN Zero-Days
Related: Exploitation of Ivanti Sentry Zero-Day Confirmed
Related: Critical Vulnerability Haunts Ivanti Endpoint Manager