Vulnerability

Ivanti Connect Secure VPN vulnerability

This live blog contains information regarding a vulnerability in Ivanti Connect Secure VPN. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on January 18, 2024.

T-Update

Information about vulnerabilities

Update 18 January 2024

14:30 | On the 16^th of January, cybersecurity company Rapid7 has published a blog post giving a detailed description of the vulnerability and how it can be exploited. With that, a public exploit is now available. Earlier this week an increase in scanning activity for vulnerable instances was noticed. Cybersecurity company Volexity published on the 15^th of January a blog stating they identified 1700 compromised instances.

In our initial blog we only mentioned Ivanti Connect Secure, but also Ivanti Policy Secure is impacted by this vulnerability. The patch release information for this product can be found in the table below.


Version	Product	Target week
9.1R18x	Ivanti Policy Secure	Week of 22 january
22.5R1x	Ivanti Policy Secure	Week of 22 january
9.1R17x	Ivanti Policy Secure	Week of 22 january
22.4R1x	Ivanti Policy Secure	Week of 29 january
22.6R1x	Ivanti Policy Secure	Week of 29 january
9.1R16x	Ivanti Policy Secure	Week of 22 january

Exploitation of the vulnerability is very likely. Combined with the exposed character of the affected solutions, this vulnerability is very critical and must be remediated as soon as possible.

Call to action

Apply the workaround;
Run the Integrity Checker tool;
Apply the patch when released.

If any suspicious or malicious activity is detected during the scan with the Integrity Checker, or when the workaround was not applied before the 16^th of January, consider the device compromised and please contact T-CERT.

The Tesorion Computer Emergency Response Team offers specialist support 24/7. In emergencies, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.

Update 11 January 2024

12:30 | On the 10^th of January, cyber security company Volexity has published a blog describing the exploitation of two vulnerabilities in Ivanti Connect Secure VPN (formerly known as Pulse Connect Secure). The first vulnerability provides an authentication-bypass and is registered as CVE-2023-46805. The second vulnerability gives an attacker the ability to perform command-injection and is registered as CVE-2024-21887.

When combined, an attacker can run commands on the system without authentication and steal configuration data, modify existing files, download files and reverse tunnel from the Ivanti Connect Secure VPN appliance.

Exploitation of CVE-2023-46805 and CVE-2024-21887 has been observed in the wild, but exploit code or instructions are not publicly available. Ivanti has released a workaround while a patch is in development. The workaround does degrade certain features of the product, so check the impact of the workaround before deployment.

A schedule for the releasing of the patches is provided in this article. It is highly recommended to apply these security patches as soon as possible, but additional steps are required for mitigation, which are described in the articles of Volexity and Ivanti.

‍

Customized cyber security

Background

On the 10th of January, cyber security company Volexity has published a blog describing the exploitation of two vulnerabilities in Ivanti Connect Secure VPN (formerly known as Pulse Connect Secure). The first vulnerability provides an authentication-bypass and is registered as CVE-2023-46805. The second vulnerability gives an attacker the ability to perform command-injection and is registered as CVE-2024-21887. When combined, an attacker can run commands on the system without authentication and steal configuration data, modify existing files, download files and reverse tunnel from the Ivanti Connect Secure VPN appliance.

Risk

The vulnerability CVE-2023-46805 has a CVSS score of 8.2 and CVE-2024-21887 a CVSS score of 9.1. The CVSS scale runs from 0 to 10. Scores of 8.2 and 9.1 are not critical in itself. It is the combination of the two vulnerabilities that implies a high risk of exploitation with high impact.

The CVE-2023-46805 vulnerability is an authentication bypass vulnerability. CVE-2024-21887 is a command injection vulnerability. When combined, an attacker can run commands on the system without authentication and steal configuration data, modify existing files, download files and reverse tunnel from the Ivanti Connect Secure VPN appliance.

Exploitation of CVE-2023-46805 and CVE-2024-21887 has been observed in the wild since the beginning of December 2023, but exploit code or instructions are not publicly available. Combined with the exposed character of the affected solutions, this vulnerability is very critical and must be remediated as soon as possible.

Advice

All supported versions of Ivanti Connect Secure VPN are vulnerable for CVE-2023-46805 and CVE-2024-21887, including:

Version 9.x
Version 22.x

Ivanti has released a workaround, while a patch is in development, eliminating the attack surface temporarily. Be aware that this workaround does degrades certain features. Please refer to the security article of Ivanti for the workaround, software patches and more details: https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

Ivanti has released a patch release overview. It is highly recommended to apply the software patch as soon as possible when released.

Table 1
Version	Product	Target week
9.1R14.4	Ivanti Connect Secure	Week of 29 january
9.1R15.3	Ivanti Connect Secure	Week of 12 february
9.1R16.3	Ivanti Connect Secure	Week of 29 january
9.1R17.2	Ivanti Connect Secure	Week of 22 january
9.1R18.3	Ivanti Connect Secure	Week of 22 january
22.1R6.1	Ivanti Connect Secure	Week of 19 february
22.2R4.1	Ivanti Connect Secure	Week of 12 february
22.3R1.1	Ivanti Connect Secure	Week of 29 january
22.4R1.1	Ivanti Connect Secure	Week of 12 february
22.4R2.2	Ivanti Connect Secure	Week of 22 january
22.5R1.1	Ivanti Connect Secure	Week of 22 january
22.5R2.2	Ivanti Connect Secure	Week of 19 february
22.6R1.1	Ivanti Connect Secure	Week of 12 february
22.6R2.2	Ivanti Connect Secure	Week of 29 january
9.1R14.2	Ivanti Policy Secure	Week of 29 january
9.1R15.1	Ivanti Policy Secure	Week of 12 february
9.1R16.1	Ivanti Policy Secure	Week of 29 january
9.1R17.2	Ivanti Policy Secure	Week of 22 january
9.1R18.3	Ivanti Policy Secure	Week of 22 january
22.1R1.1	Ivanti Policy Secure	Week of 12 february
22.1R6.1	Ivanti Policy Secure	Week of 12 february
22.3R1.1	Ivanti Policy Secure	Week of 29 january
22.2R3.1	Ivanti Policy Secure	Week of 12 february
22.4R1.1	Ivanti Policy Secure	Week of 22 january
22.5R1.1	Ivanti Policy Secure	Week of 22 january
22.6R1.1	Ivanti Policy Secure	Week of 29 january
22.5R1.5	ZTA	Week of 29 january
22.6R1.3	ZTA	Week of 22 january

‍

Installation of the workaround (and later the security update) is not sufficient to remediate the risk of this vulnerability. Both Volexity and Ivanti advice to run the External Integrity Checker Tool to detect potential exploitation. This application is developed by Ivanti to ensure the full integrity of your Ivanti Connect Secure. Additionally, Volexity has provided additional steps to detect exploitation and indicators of compromise.

If any suspicious or malicious activity is detected in relation to this article, please contact T-CERT. The Tesorion Computer Emergency Response Team offers specialist support 24/7. In emergencies, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.

‍

Sources

More information:

Sign up to receive T-Updates

Receive the latest vulnerabilities in your email every Wednesday

More than 1,000 organisations have already joined us.

Expertise

Cyber emergency?

088 27 47 800