Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

CISA Sets 48-Hour Deadline for Removal of Insecure Ivanti Products

In an unprecedented move, CISA is demanding that federal agencies disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure products within 48 hours.

Ivanti VPN exploited

In an unprecedented move, the US government’s cybersecurity agency CISA is demanding that federal agencies disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure products within 48 hours.

“As soon as possible and no later than 11:59PM on Friday February 2, 2024, disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks,” the agency said in a fresh emergency directive that ramps up the pressure on defenders to mitigate at least three Ivanti security defects being actively exploited in the wild.

CISA is pushing Federal Civilian Executive Branch (FCEB) agencies to “continue threat hunting on any systems connected to — or recently connected to — the affected Ivanti device” and monitor the authentication or identity management services that could be exposed.

Within 48 hours, the agency said federal network admins must also isolate the systems from any enterprise resources to the greatest degree possible, and continue to audit privilege level access accounts.

“To bring a product back into service, CISA said agencies are required to export the device configuration settings, complete a factory reset per Ivanti’s instructions, and rebuild the device AND upgrade to a fully patched software version.

After struggling to meet  its own patch delivery timeline, Ivanti on Wednesday started rolling out fixes on a staggered schedule and disclosed two new security defects in the enterprise-facing VPN appliances.

In all, Ivanti has documented four separate issues:

  • CVE-2023-46805 — An authentication bypass vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks. CVSS severity score 8.2/10. Confirmed exploited as zero-day.
  • CVE-2024-21887 — A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. This vulnerability can be exploited over the internet. CVSS 9.1/10. Exploitation confirmed.
  • CVE-2024-21888 — A privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator. CVSS 8.8/10.
  • CVE-2024-21893 — A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication. CVSS severity score 8.2/10. Targeted exploitation confirmed.

Volexity first spotted exploitation of these issues three weeks ago and warned that a Chinese government-backed APT hacking team had built an exploit chain to break into US organizations.  

Malware hunters at Mandiant are reporting “broad exploitation activity” via automated methods and noted that hackers linked to China have been hitting these bugs as far back as December 3, 2023. SecurityWeek sources say cybercriminal groups have pounced on the public exposures to deploy cryptomers and backdoors.

Advertisement. Scroll to continue reading.

Related: Ivanti Belatedly Patches Zero-Days and Confirms New Exploit

Related: Ivanti Struggles to Hit Zero-Day Patch Release Timeline

Related: CISA Issues Emergency Directive on Ivanti VPN Zero-Days

Related: Volexity Catches Chinese Hackers Exploiting Ivanti VPN Zero-Days

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.