In early January, Ivanti acknowledged two critical zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) in their Connect Secure and Policy Secure Gateways. T...
Authored by Eli Koopman
In early January, Ivanti acknowledged two critical zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) in their Connect Secure and Policy Secure Gateways. These vulnerabilities open the door for remote unauthenticated code execution across all supported versions. Volexity’s investigation, which we’ve linked below, reveals active exploitation in the wild.
Understanding Ivanti Connect Secure
Ivanti Connect Secure is an SSL VPN solution, used for enabling secure remote connections to centralized business resources. It’s a tool for remote workers to access critical resources, such as file shares, from anywhere.
Understanding Ivanti Policy Secure
Ivanti Policy Secure is a network access control solution used to limit access to resources through access control lists (ACLs) and virtual LANs (VLANs).
How Ivanti Connect Secure is Being Exploited
Here’s a high-level overview of the exploitation process:
- CVE-2023-46805: This vulnerability allows unauthenticated attackers to bypass authentication and access sensitive information on the gateway via a directory traversal attack.
- CVE-2024-21887: This allows authenticated administrators to execute remote commands using a URL with an encoded payload, which could be manipulated to create new user accounts or access current user data.
By combining these vulnerabilities, attackers can execute code on the host without authentication, creating a significant security threat and potentially gaining a foothold in the network.
What Can You Do
Ivanti has released patches for these vulnerabilities, alongside a tool to check for vulnerabilities in your environment. It’s imperative for users of Ivanti products to apply these updates immediately.
Additionally active monitoring and consistent patching are key. Establish and follow a thorough patching process to keep external resources secure. Post-patching, vigilantly monitor user and machine activities for any anomalies. For instance, in a scenario like this exploit, alerts for new account creation or unusual IP address access is crucial in early breach detection.
How CLA Can Help
CLA’s cybersecurity team has years of experience performing risk assessments, application reviews, responding to cyber incidents and helping mitigate them. Please contact us to help in assessing and mitigating your risk for a cyber-attack.
Resources
Want to learn more? Complete the form below and we'll be in touch. If you are unable to see the form below, please complete your submission here.Contact us