16 min read

Multiple Ivanti Vulnerabilities

Date: 14/2/2024 | Prepared by: Joel D'Souza, Vulnerability Security Analyst

Purpose 

This bulletin aims to address recently disclosed CRITICAL-risk vulnerabilities present in Ivanti products.

Previously, Triskele Labs released a bulletin addressing vulnerabilities in Ivanti for CVE-2023-46805 and CVE-2024-21887.  

Since then, several more vulnerabilities have been discovered in this product. This bulletin captures all issues discovered thus far. 

The disclosed vulnerabilities allow potential attackers to capture credentials, drop webshells, and escalate privileges.  

As such, Triskele Labs advises that all organisations using affected versions of Ivanti follow the remediation steps outlined in the subsequent sections provided by the US Cybersecurity and Infrastructure Security Agency (CISA) to mitigate the threat associated with vulnerable versions of these devices.  

The Triskele Labs Digital Forensics and Incident Response (DFIR) team has responded to incidents in which Ivanti exploitation has been used to gain initial access to networks, and Triskele Labs is aware of Threat Actors exploiting these vulnerabilities on a mass scale to collect credentials and obtain persistence. 

On 01 February 2024, the Australian Cyber Security Centre (ACSC) released an updated vulnerability disclosure focused on CVE-2023-46805 and CVE-2024-21887, with the recommendation that all organisations should patch the affected devices as a priority as the vendor was aware of active exploitation.  

On 09 February 2024, the US Cybersecurity and Infrastructure Security Agency (CISA) updated its advisory regarding Ivanti Connect Secure and Policy Secure Gateways to reflect three additional vulnerabilities (CVE-2024-21888, CVE-2024-21893, CVE-2024-22024). Additionally, CISA issued version 2 of its Supplemental Direction to its Emergency Directive regarding the containment of these devices across all government agencies.  

The following vulnerabilities have been recently disclosed or updated by the vendor: 

  • CVE-2023-46805: Authentication Bypass 
  • CVE-2024-21887: Command Injection 
  • CVE-2024-21888: Privilege Escalation vulnerability 
  • CVE-2024-21893: Server-Side Request Forgery (SSRF) vulnerability 
  • CVE-2024-22024: XML External Entity (XXE) injection 

Specific information around each of these vulnerabilities can be found in the resources listed in the References section. 

CISA indicated that these vulnerabilities have been used to compromise enterprise networks, with instances of sophisticated threat actors bypassing the external Integrity Checker Tool (ICT) to evade detection. 

Proof-of-concepts for several of these vulnerabilities have been publicly released, with a large amount of them targeting CVE-2024-21893, according to the Shadowserver Foundation. 

Impact  

The attack paths for each of these vulnerabilities could be used for credential harvesting, network traversal, and privilege escalation without detection. Once these attacks are performed, the Triskele Labs DFIR team often sees this result in full network compromise.  

Due to the criticality of these vulnerabilities and their potential exploitation, devices using affected versions of Ivanti should be treated as an optimal target for a threat actor and patched as a priority for the business, to prevent exfiltration of data and leakage of Personally Identifiable Information (PII), and other sensitive data. 

 

Mitigation Actions 

If you are utilising an Ivanti device impacted by this vulnerability, Triskele Labs recommends reviewing firewall logs and other related or relevant log sources for unusual activity.  

Ivanti has released software updates for all the affected Ivanti Connect Secure and Policy Secure Gateway vulnerabilities in Ivanti devices. 

CISA provided the following steps for mitigation of these threats as a mandate for US federal agencies. 

However, they highly recommend other businesses and organisations use these steps to ensure the threat posed by these vulnerabilities is reduced. 

1. Organisations should disconnect instances of Ivanti Connect Secure and Ivanti Policy Secure solution products immediately and follow the set of instructions listed here before bringing any product back into service. For all affected products: 
  1. Continue threat hunting on any systems currently or previously connected to the affected Ivanti device. 
  2. Monitor any authentication or identity management services that could be exposed, for anomalies.  
  3. Isolate the affected systems from any enterprise resources to the greatest degree possible.  
  4. Continue to audit privilege level access accounts for anomalies.  

2. To bring the Ivanti Connect Secure and Ivanti Policy Secure solution products back into service, organisations must perform the following actions: 
  1. Export configuration settings.   
  2. Complete a factory reset per Ivanti’s instructions.  
  3. Rebuild the device per Ivanti’s instructions AND upgrade to a supported software version through Ivanti’s download portal (there is no cost associated to upgrade).  
  4. Reimport the configuration. 
  1. If mitigation XML files were applied to the exported configuration, review the 

Ivanti KB and customer portal  for directions on how to remove the mitigations after upgrading.

 
E. Revoke and reissue any connected or exposed certificates, keys, and passwords, to include the following:  

  1. Reset the admin enable password.  
  2. Reset stored application programming interface (API) keys.  
  3. Reset the password of any local user defined on the gateway, including service accounts used for auth server configuration(s).  


3. For all products returned to service, apply future updates that address the vulnerabilities as they become available and no later than 48 hours following their release by Ivanti.   


4. Organisations running the affected products must assume domain accounts associated with the affected products have been compromised. The following steps should be performed to ensure that credentials are rotated: 

  1. Reset passwords twice for on premise accounts, revoke Kerberos tickets, and then revoke tokens for cloud accounts in hybrid deployments.  
  2. For cloud joined/registered devices, disable devices in the cloud to revoke the device tokens.  

Please refer to the following resources for additional recovery steps from Ivanti: 

Triskele Labs recommends upgrading to the latest version of Ivanti Connect Secure and Ivanti Policy Secure immediately using the steps provided by CISA to ensure permanent mitigation. 

Triskele Labs DefenceShield customers with Assess service (Vulnerability Scanning) are currently being scanned. All customers with our Monitor service (24x7x365 Managed Detection and Response) are - as always - being monitored closely for related Indicators of Compromise (IOCs) and Tactics, Techniques and Procedures (TTPs). 

 

References 

References used for the generation of this release: