Ivanti has issued an alert regarding two new significant vulnerabilities discovered in its Connect Secure and Policy Secure products, with one already being actively exploited in live environments.
Vulnerability Details:
CVE-2024-21888 (CVSS score: 8.8) – Privilege Escalation Flaw
This flaw affects the web component of Ivanti Connect Secure (versions 9.x, 22.x) and Ivanti Policy Secure (versions 9.x, 22.x), enabling a user to elevate their privileges to administrator level.
CVE-2024-21893 (CVSS score: 8.2) – Server-Side Request Forgery (SSRF) Vulnerability
Found in the SAML component of Ivanti Connect Secure (versions 9.x, 22.x), Ivanti Policy Secure (versions 9.x, 22.x), and Ivanti Neurons for ZTA, this vulnerability allows attackers to access restricted resources without authentication.
Impact Assessment:
While no evidence of CVE-2024-21888 affecting customers has been found, Ivanti acknowledges targeted exploitation of CVE-2024-21893, impacting a limited number of users. Ivanti anticipates an escalation in exploitation once this information becomes public.
Mitigation Steps:
In response, Ivanti has promptly released patches for affected versions: Connect Secure (9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1), and ZTA (22.6R1.3). As a precaution, customers are advised to factory reset their appliances before applying patches to prevent threat actors from establishing upgrade persistence, with an estimated duration of 3-4 hours.
Temporary Workarounds:
To address CVE-2024-21888 and CVE-2024-21893 temporarily, users can implement the “mitigation.release.20240126.5.xml” file.
Ongoing Developments:
This announcement follows the exploitation of two previous flaws (CVE-2023-46805 and CVE-2024-21887) by multiple threat actors to execute various malicious activities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a recent advisory highlighting these exploits, emphasizing the importance of proactive measures to prevent credential theft and network compromise.
Threat actors have demonstrated sophistication by circumventing existing mitigations and detection methods, exploiting weaknesses, lateral movement, and privilege escalation undetected. Notably, the external integrity checker tool (ICT) has been compromised, further complicating detection efforts.