In an unprecedented move, the US government’s cybersecurity agency CISA is demanding that federal agencies disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure products within 48 hours.
“As soon as possible and no later than 11:59PM on Friday February 2, 2024, disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks,” the agency said in a fresh emergency directive that ramps up the pressure on defenders to mitigate at least three Ivanti security defects being actively exploited in the wild.
CISA is pushing Federal Civilian Executive Branch (FCEB) agencies to “continue threat hunting on any systems connected to — or recently connected to — the affected Ivanti device” and monitor the authentication or identity management services that could be exposed.
Within 48 hours, the agency said federal network admins must also isolate the systems from any enterprise resources to the greatest degree possible, and continue to audit privilege level access accounts.
“To bring a product back into service, CISA said agencies are required to export the device configuration settings, complete a factory reset per Ivanti’s instructions, and rebuild the device AND upgrade to a fully patched software version.
After struggling to meet its own patch delivery timeline, Ivanti on Wednesday started rolling out fixes on a staggered schedule and disclosed two new security defects in the enterprise-facing VPN appliances.
In all, Ivanti has documented four separate issues:
- CVE-2023-46805 — An authentication bypass vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks. CVSS severity score 8.2/10. Confirmed exploited as zero-day.
- CVE-2024-21887 — A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. This vulnerability can be exploited over the internet. CVSS 9.1/10. Exploitation confirmed.
- CVE-2024-21888 — A privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator. CVSS 8.8/10.
- CVE-2024-21893 — A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication. CVSS severity score 8.2/10. Targeted exploitation confirmed.
Volexity first spotted exploitation of these issues three weeks ago and warned that a Chinese government-backed APT hacking team had built an exploit chain to break into US organizations.
Malware hunters at Mandiant are reporting “broad exploitation activity” via automated methods and noted that hackers linked to China have been hitting these bugs as far back as December 3, 2023. SecurityWeek sources say cybercriminal groups have pounced on the public exposures to deploy cryptomers and backdoors.
Related: Ivanti Belatedly Patches Zero-Days and Confirms New Exploit
Related: Ivanti Struggles to Hit Zero-Day Patch Release Timeline
Related: CISA Issues Emergency Directive on Ivanti VPN Zero-Days
Related: Volexity Catches Chinese Hackers Exploiting Ivanti VPN Zero-Days