CVE-2023-46805, rated CVSS 8.2, is a vulnerability in the Ivanti Connect Secure (ICS) web component that allows cybercriminals to bypass authentication controls, granting unauthorized access to restricted resources. CVE-2024-21887, with a CVSS score of 9.1, is a command injection vulnerability that enables an authenticated user to execute arbitrary commands on the affected systems. Both vulnerabilities affect all supported versions of Ivanti ICS and Policy Secure 9.x and 22.x.
According to Ivanti, these two vulnerabilities were exploited in the wild as early as December 3, 2023. Successful exploitation allows a threat actor to move laterally, perform data exfiltration, and establish persistent system access, fully compromising susceptible devices.
Despite the severity of the situation and the current exploitation of the flaws, Ivanti has planned to release patches to address these vulnerabilities starting the week of January 22, with the final patches expected by February 19.
However, until patches are deployed, a mitigation script (mitigation.release.20240107.1.xml) is available for immediate use. Ivanti recommends importing the mitigation XML file via their download portal to make configuration changes. Agencies must carefully follow instructions, as the XML file can impact or degrade certain product management features.
It's important to note that customers should refrain from pushing configurations to appliances with the XML in place and should only resume after the appliance is patched. To ensure effective mitigation, Ivanti advises running the External Integrity Checker Tool immediately after importing the XML file.
Reports of broader exploitation were published on January 11, and on January 16, a Proof of Concept (PoC) was released to the public by a third party. In response to the escalating situation, the Cybersecurity and Infrastructure Security Agency (CISA) has mandated that U.S. agencies mitigate these vulnerabilities by the end of January 22nd, emphasizing the urgency of addressing these threats.
For agencies using Ivanti Connect Secure and Policy Secure, following Ivanti's instructions for compromised products is imperative. This includes revoking and reissuing stored certificates, resetting admin enabled passwords, resetting stored API keys, and resetting passwords for local users defined on the gateway. Additionally, agencies must apply updates addressing the vulnerabilities within 48 hours of their release by Ivanti and report a complete inventory to CISA one week after receiving this directive.
The situation is evolving, and Ivanti commits to updating information as it becomes available. Organizations must stay vigilant, follow recommended security measures, and act promptly to safeguard their systems from potential exploitation. Remember: the key to effective cyber security is proactive and swift action in the face of emerging threats.
Holm Security has released a remote Vulnerability Test that will verify if the version installed on the target systems is vulnerable to these flaws:
- HID-2-1-5355076 Ivanti Connect Secure Multiple Vulnerabilties (CVE-2023-46805, CVE-2024-21887)
As well as an active Vulnerability Test that will actively check the exploitability of the target system:
- HID-2-1-5355086 Ivanti Connect Secure and Policy Secure Gateways Multiple Vulnerabilities Active Detection (KB43892)
For latest information, please refer to this help desk article.