Recent Ivanti Connect Secure and Policy Secure Vulnerabilities
If you do not use Ivanti Connect Secure or Ivanti Policy Secure, this bulletin does not apply to you.
TL;DR : In the last few months, exploitation of zero-day vulnerabilities were identified in the Ivanti Connect Secure and Policy Secure products. The Cybersecurity and Infrastructure Security Agency (CISA) believes that actors exploiting these devices can evade Ivanti’s internal and external security tools, resulting in a failure to detect compromise. CISA reports that multiple vulnerabilities are still being actively exploited, and warns users to ensure their devices are patched and up-to-date.
The details: The following vulnerabilities in Ivanti Connect Secure and Policy Secure Gateway were recently exploited: CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, CVE-2024-21893, and CVE-2024-22024. CISA warns that these vulnerabilities continue to be exploited.
Why we’re telling you: Device exploitation can result in unauthorized access to networks. Detecting attacker activity can be difficult and threat actors are attempting to infect devices to circumvent patches and factory resets. These risks highlight the importance of ensuring these devices are patched, up-to-date, and properly configured.
Immediate recommendations:
- CISA recommends limiting the use of SSL VPN
Strategic recommendations
- Ensure a ‘least privileged’ approach is implemented for all accounts.
- CISA recommends assessing risks associated with continued use of these Ivanti products since the threat actor may be able to obtain persistent access to the devices.
References:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b
https://www.cisa.gov/sites/default/files/2024-02/AA24-060B-Threat-Actors-Exploit-Multiple-Vulnerabilities-in-Ivanti-Connect-Secure-and-Policy-Secure-Gateways_0.pdf