- CRITICAL: Server-side request forgery (SSRF) impacting Ivanti Connect Secure and Policy Secure Products
- New Software Updates and Mitigations to Defend Against Exploitation of Ivanti Connect Secure and Policy Secure Gateways
- Apple Releases Security Updates for Multiple Products
_________________________________________________
Server-side request forgery (SSRF) impacting Ivanti Connect Secure and Policy Secure Products
Situation:
Ivanti has released multiple Zero Day vulnerabilities in its VPN products: Connect Secure (versions 9.x and 22.x) and Policy Secure (versions 9.x and 22.x). The initial disclosure involved two CVE’s: CVE-2023-46805 and CVE-2023-21887 that allows a remote attacker to perform authentication bypass and remote command injection exploits. Ivanti has released a patch which was immediately bypassed by two additional flaws (CVE-2024-21888 and CVE-2024-21893) that allows an attacker to perform privilege escalation and server-side request forgery exploits.
Problem:
Chinese state-backed hackers have exploited Ivanti VPNS since December 2023. There have been exploitation attempts originating from more than 170 unique IP addresses that aim to establish a reverse shell and among others that exploited the latest vulnerability CVE-2024-21893. These attackers are exploiting the SSRF flaw in the SAML component of Ivanti Connect Secure, Policy Share, and Neurons for ZTA that allows for attackers to access restricted resources without authentication.
Implication:
These flaws can enable a threat actor to install web shells and backdoors on breached devices that will allow them to compromise company networks, device configuration files, and other devices on their network.
Other flaws may include:
-Initial exploitation
-Persistence
-Reconnaissance
-Credential Stealing
-Lateral Movements
-Evidence Wiping
-Evasion
Need:
-Apply the patch that Ivanti released in the KB article to address the initial two vulnerabilities (CVE-2023-46805 and CVE-2023-21887).
-Perform a factory reset on the application before applying the patch.
-Apply CISA’s recommendation to disconnect all instances of Ivanti Connect Secure (ISC) and Ivanti Policy Share (IPS) solutions from agency networks
-Apply the patches as they become available, and follow any recommended guidance.
For more information, please refer to the resources that are found under “Additional Resources“.
Additional Resources:
KB for Ivanti Connect Secure and Ivanti Policy Secure Gateways:
CISA: New Software Updates and Mitigations to Defend Against Exploitation of Ivanti:
https://www.cisa.gov/news-events/alerts/2024/01/30/updated-new-software-updates-and-mitigations-defend-against-exploitation-ivanti-connect-secure-and
CISA Supplemental Direction for ICS and IPS:
Hacker News: Recent SSRF Flaw in Ivanti VPN Products:
https://thehackernews.com/2024/02/recently-disclosed-ssrf-flaw-in-ivanti.html
Bleeping Computer: Newest Ivanti SSRF Zero-Day now under Mass Exploitation:
Zscaler: ThreatLabz coverage advisory on Ivanti’s VPN vulnerabilities:
________________________________________________________
New Software Updates and Mitigations to Defend Against Exploitation of Ivanti Connect Secure and Policy Secure Gateways
Situation:
New Software Updates and Mitigations to Defend Against Exploitation of Ivanti Connect Secure and Policy Secure Gateways.
Problem:
Two additional vulnerabilities in all supported versions (9.x and 22.x) of Ivanti Connect Secure and Policy Secure Gateways:
A privilege escalation vulnerability (CVE-2024-21888)
A server-side request forgery vulnerability (CVE-2024-21893)
Implication:
A cyber threat actor could exploit CVE-2024-21888 and CVE-2024-21893 to take control of an affected system.
Need:
Software updates are also available for the previously reported Ivanti Connect Secure and Policy Secure Gateways vulnerabilities in Ivanti devices (CVE-2023-46805 and CVE-2024-21887).
Additional Resources:
Updated: New Software Updates and Mitigations to Defend Against Exploitation of Ivanti Connect Secure and Policy Secure Gateways:
_____________________________________________________
Apple Releases Security Updates for Multiple Products
Situation:
Apple has released security updates for iOS and iPadOS, macOS, Safari, watchOS, and tvOS.
Problem:
A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.
Implication:
If a malicious attacker takes control of your system, they would be able to steal, edit, ransom, or delete it as they please.
Need:
We encourage users and administrators to review the Apple security release and apply the necessary updates.
Additional Resources:
Apple Releases Security Updates for Multiple Products:
https://www.cisa.gov/news-events/alerts/2024/01/23/apple-releases-security-updates-multiple-products
Apple security releases:
https://support.apple.com/en-us/HT201222