Issue<\/b><\/p>\n
On Friday, February 9th, Ivanti disclosed<\/span>[1]<\/span> another vulnerability found in its Ivanti Connect Secure (formerly Pulse Secure) and Ivanti Policy Secure VPN products. Named CVE-2024-22024, this vulnerability permits a bad actor to access restricted product resources without authentication.. By exploiting this vulnerability and one other in concert, a bad actor could fully compromise the VPN appliance. The actor could steal passwords and use the appliance as a beachhead to attack the rest of an Ivanti customer\u2019s network.<\/span><\/p>\n This is the fifth recently disclosed vulnerability in the Ivanti Connect Secure and Policy Secure products. Espionage operations linked to China initially led to exploiting these vulnerabilities, according to Mandiant (with medium confidence). As proof of concept exploits have become available, including a Metasploit module,<\/span>[2]<\/span> the breadth of perpetrators has grown. The US Cybersecurity Infrastructure and Security Agency (CISA) found the risks here strong enough to initially order all federal agencies to apply mitigations and patches, but then to replace that with an order to disconnect, wipe, and update the appliances. CISA also directed agencies to assume all domain accounts associated with the products were compromised. The wider information security community shares CISA\u2019s concerns.\u00a0<\/span><\/p>\n Impact<\/b><\/p>\n Many organizations running the affected Ivanti products have already been breached, with two specific goals seeing the most exposure:<\/span><\/p>\n ShadowServer has been scanning publicly accessible Ivanti VPN appliances for published indicators of compromise, including specific remote control \u201cweb shells.\u201d As of this newsletter\u2019s publication, ShadowServer reports roughly 20,000 Ivanti VPNs are available on the public Internet, with roughly 300 that ShadowServer confirmed compromised. Of these, ShadowServer found 132 that were still stealing credentials, and forwarding usernames and passwords to bad actors. Note that these numbers only account for ShadowServer\u2019s scan results – other devices will be compromised but not included in these results, as those devices are not using the specific post-exploitation webshells known to ShadowServer.\u00a0<\/span><\/p>\n Recommendations<\/b><\/p>\n InGuardians recommends that clients strongly consider CISA\u2019s advice in this matter. It should also be noted that additional vulnerabilities may be discovered in these products soon.<\/span><\/p>\n CISA\u2019s recommendation to US federal agencies included disconnecting all instances of Ivanti Connect Secure and Ivanti Policy Secure and begin threat hunting on any systems recently connected to by the Ivanti device. Before reconnection, CISA recommended performing a factory reset, rebuilding the device per Ivanti\u2019s instructions, and updating to a supported software version. CISA recommended resetting the device\u2019s passwords and API keys. Finally, perhaps most subtly, CISA recommended resetting passwords, tickets, and tokens for any Active Directory accounts that were associated with these products.\u00a0<\/span><\/p>\n As recent Ivanti appliance compromises have involved modification of the appliance\u2019s internal integrity checking tool, InGuardians recommends using Ivanti\u2019s external integrity tool.<\/span>[4]<\/span> Notwithstanding the utility of the tool, InGuardians recommends that CISOs consider wiping the appliances that the tool gives an \u201call clear\u201d signal to, out of an abundance of caution.<\/span><\/p>\n Finally, InGuardians recommends watching Ivanti\u2019s vulnerability knowledge base articles describing CVE-2024-22024,<\/span>[1]<\/span> CVE-2024-21888 & CVE-2024-21893<\/span>[5]<\/span> and CVE-2023-46805 & CVE-2024-21887<\/span>[6]<\/span> for updates, as Ivanti has been editing these articles as the situation has progressed.<\/span><\/p>\n Additional Resources<\/b><\/p>\n [1] CVE-2024-22024 (XXE) for Ivanti Connect Secure and Ivanti Policy Secure (Ivanti)<\/span><\/p>\n https:\/\/forums.ivanti.com\/s\/article\/CVE-2024-22024-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US<\/span><\/a><\/p>\n [2] Metasploit module which uses CVE-2023-46805 and CVE-2024-21887 to gain remote code execution<\/span><\/p>\n https:\/\/packetstormsecurity.com\/files\/176668\/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.html<\/span><\/p>\n [3] CISA Supplemental Direction V1: ED-24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities\u00a0<\/span><\/p>\n https:\/\/www.cisa.gov\/news-events\/directives\/supplemental-direction-v1-ed-24-01-mitigate-ivanti-connect-secure-and-ivanti-policy-secure<\/span><\/a><\/p>\n [4] KB44755 – Pulse Connect Secure (PCS) Integrity Assurance (External Integrity Tool)<\/span><\/p>\n https:\/\/forums.ivanti.com\/s\/article\/KB44755<\/span><\/a><\/p>\n [5] CVE-2024-21888 Privilege Escalation for Ivanti Connect Secure and Ivanti Policy Secure\u00a0<\/span><\/p>\n\n