Two New Zero-days in Ivanti Products

8.4.24 | UPDATE

This vulnerability along with CVE-2023-46805 and CVE-2024-21887, is currently exploited by Chinese state-sponsored APT groups to conduct various attacks. Among these groups are UNC5221, UNC3569, UNC5330, and UNC5337.

It is important to upgrade both Ivanti Connect Secure VPN and Ivanti Policy Secure to their latest versions. According to Ivanti a patch is available for Ivanti Connect Secure (versions 9.1R15.3, 9.1R16.3, 22.1R6.1, 22.2R4.1, 22.3R1.1 and 22.4R1.1) and Ivanti Policy Secure (versions 9.1R16.3, 22.4R1.1 and 22.6R1.1). A build is available for all supported versions.

*******************************

Ivanti has identified two new high-severity vulnerabilities affecting its Connect Secure and Policy Secure products, with one actively exploited in the wild. The vulnerabilities impact versions 9.x and 22.x of Ivanti Connect Secure and Ivanti Policy Secure. Ivanti Neurons for ZTA is also affected by one of the vulnerabilities.

Vulnerability Details

1. CVE-2024-21888 (CVSS score: 8.8):
   • Description: A privilege escalation vulnerability in the web component allows a user to elevate privileges to that of an administrator.
   • Impact: Critical – Potential for unauthorized privilege escalation.
2. CVE-2024-21893 (CVSS score: 8.2):
   • Description: A server-side request forgery vulnerability in the SAML component enables an attacker to access restricted resources without authentication.
   • Impact: High – Possibility of unauthorized access to sensitive resources.

Exploitation

Ivanti has observed targeted exploitation of CVE-2024-21893 and anticipates an increase in exploitation once details become public.

Mitigation

• The company has released security patches for Connect Secure versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, and 22.5R1.1, as well as ZTA version 22.6R1.3.
• As a precautionary measure, Ivanti recommends factory resetting the appliance before applying the patch to prevent threat actors from gaining upgrade persistence. Temporary workarounds involve importing the “mitigation.release.20240126.5.xml” file.

Additional Context:

• This disclosure follows the identification of two other zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) in early January, leading to widespread attacks exploiting Ivanti gateways.
• CISA issued Emergency Directive ED 24-01, instructing federal agencies to mitigate the zero-day flaws promptly.
• Victims of these vulnerabilities span various industries globally, from government and military organizations to banking, finance, and aerospace companies.
• Security researchers have identified multiple custom malware strains deployed in attacks. For example, Volexity and GreyNoise have also observed attackers deploying XMRig cryptocurrency miners and Rust-based malware payloads (KrustyLoader) on some victims’ compromised systems.

References

• https://thehackernews.com/2024/01/alert-ivanti-discloses-2-new-zero-day.html
• https://www.bleepingcomputer.com/news/security/ivanti-warns-of-new-connect-secure-zero-day-exploited-in-attacks/
• https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US