Ivanti Warns of New Connect Secure Zero-day Exploited in Attacks

A new set of flaws was disclosed by Ivanti today, which impact Ivanti Connect Secure, Policy Secure, and ZTA gateways. One of these flaws (CVE-2024-21888) pertains to a privilege escalation vulnerability which could allow a malicious actor to elevate privileges to that of an administrator. The other flaw (CVE-2024-21893) relates to a server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA and can be exploited to gain access to certain restricted resources without authentication. In its advisory Ivanti noted that it has no evidence of any customers being impacted by CVE-2024-21888. However, the company did observe a small number of customers who have been impacted by CVE-2024-21893. No further details regarding exploitation were disclosed. Ivanti recommends customers immediately apply the patches that were released to defend against potential attacks.

Security Officer Comments:
The development comes after Ivanti disclosed two zero-days earlier this month - an authentication bypass (CVE-2023-46805) and a command injection (CVE-2024-21887), which were exploited in attacks to deploy malware on vulnerable ICS, IPS, and ZTA gateways since January 11. In particular, Mandiant observed these two flaws being chained together by Chinese-state-backed threat actors (tracked as UTA0178 or UNC5221) to deploy malicious backdoor payloads and steal data from victim environments. With Ivanti noting that the latest vulnerability (CVE-2024-21893) has been exploited to target customers, it is likely that the same group of actors could be behind these intrusions.

Suggested Corrections:
Ivanti has released fixes for Connect Secure versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1, and ZTA version 22.6R1.3. Before applying the patches, Ivanti recommends its customers factory reset their appliances to prevent threat actors from gaining upgraded persistence.

Note: CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893 can be mitigated by importing mitigation.release.20240126.5.xml file via the download portal. For more information, please refer to the link down below: