Advisory February 1, 2024

Two New Zero-days in Ivanti Products

Obrela TI Team

Ivanti has identified two new high-severity vulnerabilities affecting its Connect Secure and Policy Secure products, with one actively exploited in the wild. The vulnerabilities impact versions 9.x and 22.x of Ivanti Connect Secure and Ivanti Policy Secure. Ivanti Neurons for ZTA is also affected by one of the vulnerabilities.

Vulnerability Details

  1. CVE-2024-21888 (CVSS score: 8.8):
    • Description: A privilege escalation vulnerability in the web component allows a user to elevate privileges to that of an administrator.
    • Impact: Critical – Potential for unauthorized privilege escalation.
  2. CVE-2024-21893 (CVSS score: 8.2):
    • Description: A server-side request forgery vulnerability in the SAML component enables an attacker to access restricted resources without authentication.
    • Impact: High – Possibility of unauthorized access to sensitive resources.

Exploitation

Ivanti has observed targeted exploitation of CVE-2024-21893 and anticipates an increase in exploitation once details become public.

Mitigation

  • The company has released security patches for Connect Secure versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, and 22.5R1.1, as well as ZTA version 22.6R1.3.
  • As a precautionary measure, Ivanti recommends factory resetting the appliance before applying the patch to prevent threat actors from gaining upgrade persistence. Temporary workarounds involve importing the “mitigation.release.20240126.5.xml” file.

Additional Context:

  • This disclosure follows the identification of two other zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) in early January, leading to widespread attacks exploiting Ivanti gateways.
  • CISA issued Emergency Directive ED 24-01, instructing federal agencies to mitigate the zero-day flaws promptly.
  • Victims of these vulnerabilities span various industries globally, from government and military organizations to banking, finance, and aerospace companies.
  • Security researchers have identified multiple custom malware strains deployed in attacks. For example, Volexity and GreyNoise have also observed attackers deploying XMRig cryptocurrency miners and Rust-based malware payloads (KrustyLoader) on some victims’ compromised systems.

References

earth and shield - Advisory image