Ivanti has disclosed a new high-severity vulnerability, CVE-2024-22024, affecting its Connect Secure VPN devices. This flaw, disclosed on February 8, 2024, marks the fifth such vulnerability to be revealed in the past month for Ivanti.
Three of the previously disclosed vulnerabilities are now reportedly being actively exploited.
On February 8, 2024, Ivanti released new security notes that replaced the previous updates released on January 31, 2024, and February 1, 2024. These new notes address CVE-2024-22024, the newly disclosed vulnerability.
Earlier, Ivanti said it had discovered two new security flaws, tracked as CVE-2024-21888 and CVE-2024-21893, affecting Connect Secure, its remote access VPN solution. The disclosure came after Ivanti confirmed two earlier flaws in Connect Secure, tracked as CVE-2023-46805 and CVE-2024-21887, which security researchers said China-supported hackers had been exploiting since December 2023 to break into customer networks and steal information.
Bypassing Authentication Mechanisms
A server side request forgery flaw, designated as CVE-2024-21893, is being mass exploited. It allows unauthorized individuals to bypass authentication mechanisms and access restricted resources on the affected devices, specifically versions 9.x and 22.x.
Some 170 unique IP addresses have reportedly been observed attempting to exploit the vulnerability.
The newly identified flaw impacts a limited number of supported versions of Connect Secure, Policy Secure, and ZTA gateways, Ivanti said in an advisory. The exploit has been classified as “high-severity” with a CVE score of 8.3 out of 10.0. It allows a malicious actor to bypass authentication and gain unauthorized access to certain restricted resources, the company said.
Ivanti discovered this vulnerability during its internal review and code-testing process.
“This vulnerability was discovered during our rigorous investigation into the vulnerabilities impacting Ivanti Connect Secure, Ivanti Policy Secure and ZTA gateways,” Ivanti said. “We initiated this rigorous process consistent with our product incident response plan to address the issues impacting Ivanti Connect Secure, Ivanti Policy Secure and ZTA gateways. This process includes working alongside world-class security experts and aggressively reviewing our code.”
Ivanti Issues Patch
Ivanti said it has a patch now for the affected versions and additional versions which “fix all previously disclosed vulnerabilities… Given the active exploitation of other vulnerabilities, users are advised to stay informed about security advisories and take necessary actions to secure their systems.”
Organizations that have applied the prior patch and completed a factory reset of their appliance, “do not need to factory reset their appliances again,” Ivanti said. At this point there is “no evidence of any customers being exploited by CVE-2024-22024.”
Ivanti said that it has seen this threat actor attempt to gain persistence in customers’ environments, which is "why we are recommending this action as a best practice for all customers.”
CISA Emergency Directive on Ivanti Vulnerabilities
In late January, the Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 24-01 in response to observed widespread and active exploitation of vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure appliances by malicious cyber threat actors.
It was the agency’s first emergency directive of the year.
The order, which is binding only on federal civilian executive branch agencies, directs those agencies to “immediately take specific actions and implement vendor mitigation guidance to these Ivanti appliances.”
According to the directive, “CISA has determined an Emergency Directive is necessary based on the widespread exploitation of these vulnerabilities by multiple threat actors, prevalence of the affected products in the federal enterprise, high potential for compromise of agency information systems, and potential impact of a successful compromise.”
On February 8, 2024, CISA issued a supplemental advisory on CVE-2024-22024 in which it said that “some threat actors have recently developed workarounds to earlier mitigations and detection methods and have been able to exploit weaknesses, move laterally, and escalate privileges without detection.”
MSSP Responds to Ivanti Vulnerability
Managed Security Service Provider Nuspire has issued guidelines for its customers using Ivanti devices to stay safe.
“If your organization is using Ivanti Connect Secure and Policy Secure, it’s crucial to take immediate action," the MSSP said. Here are Nuspire’s recommendations:
- Verify your version. Determine if your devices are running vulnerable versions (9.x and 22.x). If so, prioritize patches from Ivanti as per their advisory.
- Apply patches. Ivanti has stated that the patch is available now via the standard download portal. Applying these patches as soon as possible is critical to protect your systems.
- Stay informed. Keep up-to-date with the latest information from trusted sources.
Ivanti is a South Jordan, Utah-based company that provides information technology and software solutions. The company offers IT asset and services management, supply chain, reporting and analytics, identity management, and endpoint and workspace management products, as well as consulting, training and certification services.