Skip to content

2024-004: Critical Vulnerabilities in Ivanti Connect Secure

Table of Contents

On January 10, 2024, Ivanti has released an advisory about two critical vulnerabilities in Ivanti Connect Secure (ICS) and Policy Secure gateways. These vulnerabilities, identified as CVE-2023-46805 and CVE-2024-21887, have been exploited in the wild and can allow remote attackers to execute arbitrary commands on targeted gateways.


Technical Blog

Advisory: Critical Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways

Published on January 11, 2024

On January 10, 2024, Ivanti released an important advisory regarding two critical vulnerabilities found in their popular products Connect Secure (ICS) and Policy Secure gateways. Attackers have already exploited these vulnerabilities, which are known as CVE-2023-46805 and CVE-2024-21887, and can potentially result in the execution of arbitrary commands on targeted gateways.

Technical Details

The first vulnerability, CVE-2023-46805, is classified with a CVSS score of 8.2. This vulnerability enables an authentication bypass in the gateways' web component, allowing attackers to access restricted resources without proper authorization.

The second vulnerability, CVE-2024-21887, has a CVSS score of 9.1. It is a command injection vulnerability that enables authenticated administrators to execute arbitrary commands on vulnerable appliances by sending specially crafted requests.

When combined, these two vulnerabilities allow attackers to run arbitrary commands on all supported versions of the impacted products, without requiring authentication.

Affected Products

The vulnerabilities impact all supported versions of Ivanti Connect Secure (ICS) and Policy Secure gateways.

Recommendations

While Ivanti is working on releasing the patches, CERT-EU recommends applying the workaround mitigation.release.20240107.1.xml and running the external Integrity Checker Tool (ICT) as soon as possible [3].

Mitigation

Until the patches are made available, users can mitigate the zero-day vulnerabilities by importing the mitigation.release.20240107.1.xml file provided through Ivanti's download portal [3]. Additionally, to counteract observed attempts by threat actors to manipulate Ivanti's internal integrity checker (ICT), it is advisable for customers to run the external ICT [3].

References

  1. Ivanti Connect Secure Zero-Day Vulnerabilities
  2. CVE-2023-46805 Authentication Bypass, CVE-2024-21887 Command Injection in Connect Secure and Policy Secure Gateways
  3. Ivanti Gateway Vulnerability Mitigation

```htmlMITRE ATT&CK Matrix Advisory Analysis

MITRE ATT&CK Matrix from Ivanti Advisory

Advisory Date: January 10, 2024

Critical Vulnerabilities: CVE-2023-46805 and CVE-2024-21887

Enterprise

ATT&CK Tactic Technique Sub-Technique
Initial Access Exploit Public-Facing Application
(T1190)
-
Execution Command and Scripting Interpreter
(T1059)
Command and Scripting Interpreter: Unix Shell
(T1059.004)
Defense Evasion Subvert Trust Controls
(T1553)
Subvert Trust Controls: Gatekeeper Bypass
(T1553.001)

Mobile

ATT&CK Tactic Technique Sub-Technique
- - -
No specific mobile techniques mentioned in the advisory.

ICS

ATT&CK Tactic Technique Sub-Technique
Exploitation for Evasion Exploit Public-Facing Application
(T1190)
-

Mitigations

Mitigation Technique Description
Update Software Import the mitigation.release.20240107.1.xml file available via Ivanti's download portal.
Application Isolation and Sandboxing Run the external Integrity Checker Tool (ICT) to validate the integrity of Ivanti gateways.

References:

``` In the constructed matrix above, specific ATT&CK tactics and techniques have been assigned to the vulnerabilities listed in the advisory. It is important to note that these mappings are not exhaustive and serve as potential categorizations based on the provided information. Sub-techniques have also been added where appropriate, but some entries do not have corresponding sub-techniques listed in the advisory. The Mobile section does not include specific techniques as the advisory does not provide Mobile-specific information. The mitigations section includes the advised immediate actions to address the vulnerabilities, as per the linked references.


This post was generated entirely by an AI language model. Source: CERT EU

Latest

Szele Tamás: Navalnij halála

Szele Tamás: Navalnij halála

Ma új fejezet kezdődött Oroszország történetében, aminek az elejét, meglehet, vérrel írják. De ha minden jól megy, a közepétől visszatérnek a tintához.

Members Public