CISA’s Advisory on Ivanti Vulnerabilities and Mitigation Challenges (CVE-2023-46805, CVE-2024-21887)

Bar Refael

January 23, 2024

Vulnerability Summary:

  • Affected Products: Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS)
  • Notable Vulnerabilities: CVE-2023-46805, CVE-2024-21887
  • Impact: High, with widespread attacks observed

Context:

Following CISA’s Emergency Directive (ED) 24-01 addressing critical vulnerabilities in Ivanti products, Ivanti has issued an additional warning. The company advises against pushing new device configurations post-mitigation applications due to a race condition that causes key web services to stop, rendering the mitigation ineffective.

Key Developments:

  • Mitigation Risks: Applying new configurations to Ivanti appliances can disable the mitigation measures, making devices vulnerable to ongoing attacks.
  • Affected Processes: Configuration pushes through Pulse One or nSA, and both full and partial pushes, can trigger this issue.
  • Recommendation: Ivanti advises halting configuration pushes until after appliances are patched.
  • Attack Scope: Large-scale attacks have been observed exploiting the vulnerabilities, particularly CVE-2023-46805 and CVE-2024-21887, allowing attackers extensive network access, data exfiltration, and persistent system breach.

Implications for Organizations:

  • Widespread Impact: Thousands of Ivanti appliances are exposed online, with significant numbers already compromised.
  • Diverse Victimology: The attacks have impacted a wide range of sectors, including government, military, telecommunications, defense, technology, finance, and aerospace industries.
  • Variety of Attackers: Multiple threat actors, including state-backed groups, have exploited these vulnerabilities, deploying webshells, malware, and cryptocurrency miners.

Action Items for OP Innovate Clients:

  • Immediate Configuration Freeze: Cease all new configuration pushes to Ivanti appliances until further notice.
  • Reassess Mitigations: Review and reapply mitigation measures if configurations were changed post-mitigation.
  • Enhanced Monitoring: Intensify surveillance of Ivanti appliances for signs of compromise.
  • Incident Reporting: Promptly report any suspected compromises or anomalies.
  • Await Patches: Prepare to implement security patches from Ivanti as soon as they are released.

Closing Note:

The current scenario highlights the intricate and evolving nature of cybersecurity challenges. OP Innovate is committed to delivering up-to-date intelligence and support, assisting our clients in adeptly managing these complexities.

Stay Safe and Informed,

OP Innovate.

Under Cyber Attack?

Fill out the form and we will contact you immediately.

Under Cyber Attack?

Fill out the form and we will contact you immediately.