CISA’s Advisory on Ivanti Vulnerabilities and Mitigation Challenges (CVE-2023-46805, CVE-2024-21887)

Vulnerability Summary:

• Affected Products: Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS)
• Notable Vulnerabilities: CVE-2023-46805, CVE-2024-21887
• Impact: High, with widespread attacks observed

Context:

Following CISA’s Emergency Directive (ED) 24-01 addressing critical vulnerabilities in Ivanti products, Ivanti has issued an additional warning. The company advises against pushing new device configurations post-mitigation applications due to a race condition that causes key web services to stop, rendering the mitigation ineffective.

Key Developments:

• Mitigation Risks: Applying new configurations to Ivanti appliances can disable the mitigation measures, making devices vulnerable to ongoing attacks.
• Affected Processes: Configuration pushes through Pulse One or nSA, and both full and partial pushes, can trigger this issue.
• Recommendation: Ivanti advises halting configuration pushes until after appliances are patched.
• Attack Scope: Large-scale attacks have been observed exploiting the vulnerabilities, particularly CVE-2023-46805 and CVE-2024-21887, allowing attackers extensive network access, data exfiltration, and persistent system breach.

Implications for Organizations:

• Widespread Impact: Thousands of Ivanti appliances are exposed online, with significant numbers already compromised.
• Diverse Victimology: The attacks have impacted a wide range of sectors, including government, military, telecommunications, defense, technology, finance, and aerospace industries.
• Variety of Attackers: Multiple threat actors, including state-backed groups, have exploited these vulnerabilities, deploying webshells, malware, and cryptocurrency miners.

Action Items for OP Innovate Clients:

• Immediate Configuration Freeze: Cease all new configuration pushes to Ivanti appliances until further notice.
• Reassess Mitigations: Review and reapply mitigation measures if configurations were changed post-mitigation.
• Enhanced Monitoring: Intensify surveillance of Ivanti appliances for signs of compromise.
• Incident Reporting: Promptly report any suspected compromises or anomalies.
• Await Patches: Prepare to implement security patches from Ivanti as soon as they are released.

Closing Note:

The current scenario highlights the intricate and evolving nature of cybersecurity challenges. OP Innovate is committed to delivering up-to-date intelligence and support, assisting our clients in adeptly managing these complexities.

Stay Safe and Informed,

OP Innovate.