Table of Contents
On January 10, 2024, Ivanti has released an advisory about two critical vulnerabilities in Ivanti Connect Secure (ICS) and Policy Secure gateways. These vulnerabilities, identified as CVE-2023-46805 and CVE-2024-21887, have been exploited in the wild and can allow remote attackers to execute arbitrary commands on targeted gateways.
Advisory: Critical Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways
Published on January 11, 2024
On January 10, 2024, Ivanti released an important advisory regarding two critical vulnerabilities found in their popular products Connect Secure (ICS) and Policy Secure gateways. Attackers have already exploited these vulnerabilities, which are known as CVE-2023-46805 and CVE-2024-21887, and can potentially result in the execution of arbitrary commands on targeted gateways.
The first vulnerability, CVE-2023-46805, is classified with a CVSS score of 8.2. This vulnerability enables an authentication bypass in the gateways' web component, allowing attackers to access restricted resources without proper authorization.
The second vulnerability, CVE-2024-21887, has a CVSS score of 9.1. It is a command injection vulnerability that enables authenticated administrators to execute arbitrary commands on vulnerable appliances by sending specially crafted requests.
When combined, these two vulnerabilities allow attackers to run arbitrary commands on all supported versions of the impacted products, without requiring authentication.
The vulnerabilities impact all supported versions of Ivanti Connect Secure (ICS) and Policy Secure gateways.
While Ivanti is working on releasing the patches, CERT-EU recommends applying the workaround mitigation.release.20240107.1.xml and running the external Integrity Checker Tool (ICT) as soon as possible .
Until the patches are made available, users can mitigate the zero-day vulnerabilities by importing the mitigation.release.20240107.1.xml file provided through Ivanti's download portal . Additionally, to counteract observed attempts by threat actors to manipulate Ivanti's internal integrity checker (ICT), it is advisable for customers to run the external ICT .
- Ivanti Connect Secure Zero-Day Vulnerabilities
- CVE-2023-46805 Authentication Bypass, CVE-2024-21887 Command Injection in Connect Secure and Policy Secure Gateways
- Ivanti Gateway Vulnerability Mitigation
```htmlMITRE ATT&CK Matrix Advisory Analysis
MITRE ATT&CK Matrix from Ivanti Advisory
Advisory Date: January 10, 2024
Critical Vulnerabilities: CVE-2023-46805 and CVE-2024-21887
|Exploit Public-Facing Application
|Command and Scripting Interpreter
|Command and Scripting Interpreter: Unix Shell
|Subvert Trust Controls
|Subvert Trust Controls: Gatekeeper Bypass
No specific mobile techniques mentioned in the advisory.
|Exploitation for Evasion
|Exploit Public-Facing Application
|Import the mitigation.release.20240107.1.xml file available via Ivanti's download portal.
|Application Isolation and Sandboxing
|Run the external Integrity Checker Tool (ICT) to validate the integrity of Ivanti gateways.
- BleepingComputer Advisory Note
- Ivanti Forum CVE-2023-46805 and CVE-2024-21887
- Ivanti Mitigation Instructions
``` In the constructed matrix above, specific ATT&CK tactics and techniques have been assigned to the vulnerabilities listed in the advisory. It is important to note that these mappings are not exhaustive and serve as potential categorizations based on the provided information. Sub-techniques have also been added where appropriate, but some entries do not have corresponding sub-techniques listed in the advisory. The Mobile section does not include specific techniques as the advisory does not provide Mobile-specific information. The mitigations section includes the advised immediate actions to address the vulnerabilities, as per the linked references.
This post was generated entirely by an AI language model. Source: CERT EU