Ivanti is struggling to hit its own promised timeline for the delivery of patches for critical — and already exploited — vulnerabilities in Internet-facing Ivanti Connect Secure VPN appliances (formerly known as Pulse Secure).
The Utah IT software firm originally said it would start shipping patches on a staggered schedule beginning on January 22 but it appears testing and quality issues have led to delays.
Late Friday, Ivanti acknowledged the missed deadline in an updated advisory that cited “the security and quality of each [software patch] release.”
“The targeted release of patches for supported versions is delayed, this delay impacts all subsequent planned patch releases. We are now targeting next week to release a patch for Ivanti Connect Secure (versions 9.1R17x, 9.1R18x, 22.4R2x and 22.5R1.1), Ivanti Policy Secure (versions 9.1R17x, 9.1R18x and 22.5R1x) and ZTA version 22.6R1x,” Ivanti said.
The embattled company said patches for supported versions will still be released on a staggered schedule and cautioned that the timing of patch release is still subject to change.
The patch delays come almost three weeks after researchers at Volexity caught a Chinese government-backed hacking team exploiting two Ivanti zero-day vulnerabilities to break into US organizations.
The absence of official fixes is sure to complicate strict deadlines set by the US government’s cybersecurity agency CISA for Federal Civilian Executive Branch (FCEB) agencies to apply available fixes, hunt for infections and share indicators of compromise.
The CISA emergency directive had set a January 22 date for federal agencies to start deploying fixes. The agency has also called for the removal of compromised products from networks and instructions for infected organizations to file a report with CISA with an inventory of infected devices and details on actions taken.
The CISA directive explains the risk:
“When exploited in tandem, these vulnerabilities allow a malicious threat actor to execute arbitrary commands on a vulnerable product. Ivanti has released a temporary mitigation through an XML file that can be imported into affected products to make necessary configuration changes until the permanent update is available.
“This Directive requires agencies to implement Ivanti’s published mitigation immediately to the affected products in order to prevent future exploitation. As this initial action does not remedy an active or past compromise, agencies are also required to run Ivanti’s External Integrity Checker Tool and take additional steps if indications of compromise are detected.”
In a research report released early January, Volexity tagged the flaws as CVE-2023-46805 and CVE-2024-21887 and warned that they were being exploited against Internet-facing Ivanti VPN appliances.
The Volexity researchers said they caught the attackers modifying legitimate ICS components and making changes to the system to evade Ivanti’s Integrity Checker Tool; and backdooring a legitimate CGI file (compcheck.cgi) on the ICS VPN appliance to allow command execution.
Ivanti, a company that has struggled with major security problems, has released pre-patch mitigations and instructions to minimize attack surfaces.
Related: CISA Issues Emergency Directive on Ivanti VPN Zero-Days
Related: Volexity Catches Chinese Hackers Exploiting Ivanti VPN Zero-Days
Related: Exploitation of Ivanti Sentry Zero-Day Confirmed
Related: Critical Vulnerability Haunts Ivanti Endpoint Manager
Related: Ivanti Patches Critical Vulnerabilities in Avalanche MDM Product