Issue

On Friday, February 9th, Ivanti disclosed[1] another vulnerability found in its Ivanti Connect Secure (formerly Pulse Secure) and Ivanti Policy Secure VPN products. Named CVE-2024-22024, this vulnerability permits a bad actor to access restricted product resources without authentication.. By exploiting this vulnerability and one other in concert, a bad actor could fully compromise the VPN appliance. The actor could steal passwords and use the appliance as a beachhead to attack the rest of an Ivanti customer’s network.

This is the fifth recently disclosed vulnerability in the Ivanti Connect Secure and Policy Secure products. Espionage operations linked to China initially led to exploiting these vulnerabilities, according to Mandiant (with medium confidence). As proof of concept exploits have become available, including a Metasploit module,[2] the breadth of perpetrators has grown. The US Cybersecurity Infrastructure and Security Agency (CISA) found the risks here strong enough to initially order all federal agencies to apply mitigations and patches, but then to replace that with an order to disconnect, wipe, and update the appliances. CISA also directed agencies to assume all domain accounts associated with the products were compromised. The wider information security community shares CISA’s concerns. 

Impact

Many organizations running the affected Ivanti products have already been breached, with two specific goals seeing the most exposure:

  • Credential theft for VPN users and administrators.
  • Code execution on the VPN, permitting lateral movement into the organization’s networks.

ShadowServer has been scanning publicly accessible Ivanti VPN appliances for published indicators of compromise, including specific remote control “web shells.” As of this newsletter’s publication, ShadowServer reports roughly 20,000 Ivanti VPNs are available on the public Internet, with roughly 300 that ShadowServer confirmed compromised. Of these, ShadowServer found 132 that were still stealing credentials, and forwarding usernames and passwords to bad actors. Note that these numbers only account for ShadowServer’s scan results – other devices will be compromised but not included in these results, as those devices are not using the specific post-exploitation webshells known to ShadowServer. 

Recommendations

InGuardians recommends that clients strongly consider CISA’s advice in this matter. It should also be noted that additional vulnerabilities may be discovered in these products soon.

CISA’s recommendation to US federal agencies included disconnecting all instances of Ivanti Connect Secure and Ivanti Policy Secure and begin threat hunting on any systems recently connected to by the Ivanti device. Before reconnection, CISA recommended performing a factory reset, rebuilding the device per Ivanti’s instructions, and updating to a supported software version. CISA recommended resetting the device’s passwords and API keys. Finally, perhaps most subtly, CISA recommended resetting passwords, tickets, and tokens for any Active Directory accounts that were associated with these products. 

As recent Ivanti appliance compromises have involved modification of the appliance’s internal integrity checking tool, InGuardians recommends using Ivanti’s external integrity tool.[4] Notwithstanding the utility of the tool, InGuardians recommends that CISOs consider wiping the appliances that the tool gives an “all clear” signal to, out of an abundance of caution.

Finally, InGuardians recommends watching Ivanti’s vulnerability knowledge base articles describing CVE-2024-22024,[1] CVE-2024-21888 & CVE-2024-21893[5] and CVE-2023-46805 & CVE-2024-21887[6] for updates, as Ivanti has been editing these articles as the situation has progressed.

Additional Resources

[1] CVE-2024-22024 (XXE) for Ivanti Connect Secure and Ivanti Policy Secure (Ivanti)

https://forums.ivanti.com/s/article/CVE-2024-22024-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US

[2] Metasploit module which uses CVE-2023-46805 and CVE-2024-21887 to gain remote code execution

https://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.html

[3] CISA Supplemental Direction V1: ED-24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities 

https://www.cisa.gov/news-events/directives/supplemental-direction-v1-ed-24-01-mitigate-ivanti-connect-secure-and-ivanti-policy-secure

[4] KB44755 – Pulse Connect Secure (PCS) Integrity Assurance (External Integrity Tool)

https://forums.ivanti.com/s/article/KB44755

[5] CVE-2024-21888 Privilege Escalation for Ivanti Connect Secure and Ivanti Policy Secure 

https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US

[6] KB CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways

https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US