The US government’s cybersecurity agency CISA is ramping up the pressure on organizations to urgently mitigate a pair of critical vulnerabilities in Ivanti Connect Secure VPN devices.
The CISA missive sets strict deadlines for Federal Civilian Executive Branch (FCEB) agencies running Ivanti Connect Secure and Ivanti Policy Secure to apply available mitigations, hunt for infections and share indicators of compromise.
The emergency directive also calls for the removal of compromised products from networks and a report to CISA that provides an inventory of infected devices and details on actions taken.
The CISA emergency directive comes less than two weeks after researchers at Volexity caught a Chinese government-backed hacking team chaining an exploit for the two Ivanti vulnerabilities to launch remote, unauthenticated code execution attacks.
The CISA directive explains the risk:
“When exploited in tandem, these vulnerabilities allow a malicious threat actor to execute arbitrary commands on a vulnerable product. Ivanti has released a temporary mitigation through an XML file that can be imported into affected products to make necessary configuration changes until the permanent update is available.
“This Directive requires agencies to implement Ivanti’s published mitigation immediately to the affected products in order to prevent future exploitation. As this initial action does not remedy an active or past compromise, agencies are also required to run Ivanti’s External Integrity Checker Tool and take additional steps if indications of compromise are detected.”
In a research report released last week, Volexity flagged the two flaws as CVE-2023-46805 and CVE-2024-21887 and warned that they were being exploited against Internet-facing Ivanti Connect Secure VPN appliances (formerly known as Pulse Secure).
Ivanti, a company that has struggled with major security problems, has released pre-patch mitigations for the new vulnerabilities but said comprehensive fixes will be released on a staggered schedule beginning on January 22.
“We are providing mitigation now while the patch is in development to prioritize the best interest of our customers. It is critical that you immediately take action to ensure you are fully protected,” Ivanti said.
The Volexity researchers said they caught the attackers modifying legitimate ICS components and making changes to the system to evade Ivanti’s Integrity Checker Tool; and backdooring a legitimate CGI file (compcheck.cgi) on the ICS VPN appliance to allow command execution.