Five Eyes Warn of Ivanti Vulnerabilities Exploitation, Detection Tools Insufficient

On February 29, government agencies from the Five Eyes countries, comprising Australia, Canada, New Zealand, the UK, and the US, issued an urgent warning regarding the active exploitation of vulnerabilities found in Ivanti products. These vulnerabilities, which include CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893, affect all supported versions of Ivanti gateways, spanning from 9.x to 22.x. The severity of these vulnerabilities ranges from high to critical, allowing threat actors to bypass authentication mechanisms and execute arbitrary commands with elevated privileges. Of particular concern is the potential compromise of Ivanti's Integrity Checker Tool (ICT), both internally and externally. The agencies noted instances where the ICT failed to detect compromise during incident response engagements. They also conducted independent research, demonstrating that the ICT might not suffice to detect compromise, even resulting in the inability to prevent root-level persistence, despite factory resets.

Security Officer Comments:
In response to these findings, the agencies provided a series of mitigation recommendations for users of Ivanti gateways, advising them to assume that their credentials stored within the affected appliances are likely compromised. Ivanti responded to these warnings by emphasizing the importance of applying security updates and factory resets to mitigate these risks. However, they also noted that the persistence technique demonstrated by CISA in a lab environment has not been observed in live customer environments to date. The joint advisory was issued by several prominent agencies, including the FBI, CISA, NCSC-UK, Cyber Centre, ACSC, NCSC-NZ, CERT NZ, and MS-ISAC, with support from industry partners.

Suggested Corrections:
The agencies provided a set of actions for all users of Ivanti gateways to take:

  • Assume that user and service account credentials stored within the affected Ivanti VPN appliances are likely compromised
  • Hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) within this advisory
  • Run Ivanti’s most recent external ICT
  • Apply available patching guidance provided by Ivanti as version updates become available
  • If a potential compromise is detected, collect and analyze logs and artifacts for malicious activity and apply the incident response recommendations within this advisory