Security Leader’s TLDR: Facts & Action to Take on Ivanti Zero-day CVEs

Ivanti’s remote access solutions is one of the most widely deployed remote access solutions today. The successor’s to Juniper’s VPN solution, a wide variety of both public and private entities are impacted by two actively exploited CVEs for which Ivanti is still rolling out patches. The basic facts are these:

• All currently supported versions of Ivanti Connect Secure (fka Pulse Connect Secure and Ivanti Policy Secure gateway) are vulnerable
• The combination of the two vulnerabilities (CVE-2023-46805 and CVE-2024-21887) can be exploited to execute an attacker’s commands or code on impacted systems
• The vulnerabilities can be taken advantage of without the need for credentials – unauthenticated remote users can take advantage of these
• The combination of vulnerabilities allows malicious actors to bypass existing MFA controls for VPN/Remote Access connections
• Patches are still forthcoming – scheduled to start rolling out for some versions the week of January 22 and continuing to roll out for other versions through mid February – though these are currently being attacked by malicious actors
• Ivanti released a mitigation/workaround while full patch development is in progress. This workaround compares snapshots for Ivanti’s internal integrity checker and does not prevent exploitation.
• As of this writing Tenable Plugins are under development for both CVEs
  • CVE-2024-21887
  • CVE-2023-46805
• Qualys scans utilize QID 731074
• The name “Connect Around” is starting to circulate to refer to this pair of vulnerabilities

While these are being actively exploited in the wild, we don’t know how widely this will be exploited, and with patches being delayed we can only assume exploitation will grow.  

Until patches are released, options for mitigation are decidedly limited. If you can afford to disable these systems (as in, completely disconnecting them from the Internet), that is your most secure option at this time, though of course that will probably impact your ability to perform business as usual, and must be made as a business decision. We recommend taking into account the period of time between now and when a patch is expected to be forthcoming.

Serious thought should be given to disconnecting these systems, since advice right now is focused on threat hunting and log monitoring, requiring your security operations team to be extra vigilant. It is advisable to review older logs to see if compromises may have occurred in preceding days and weeks. 

If your security operations program is not currently collecting logs from these appliances, we strongly recommend remediating that immediately, even if it is just a basic syslog server and running the Ivanti tool at regular, frequent intervals to look for indications of compromise. Deeepwatch has additional monitoring details to share with your security operations team, available in our Customer Advisory. Deepwatch has made this advisory available to the general public due to the nature of this event. 

Ivanti has made tools available to help identify improperly modified files on their appliances, which is still an “after the fact” detection tool, and cannot prevent malicious activity.

Unfortunately monitoring may not identify the malicious activity immediately, so dusting off your incident plans and checking in with your DFIR provider may be in order as well. As always, remember that absence of evidence does not mean you haven’t been impacted. Be vigilant for any potentially malicious activity from attackers that may have already used these vulnerabilities to establish an entry point into your environment.

Actively exploited vulnerabilities that don’t yet have full patches or readily implemented mitigations are some of the most difficult challenges any security program faces. Do your risk analysis, rally your team (whether internal or an MDR provider), scan and verify, be vigilant in your monitoring, and disable any of these systems that you can afford to until proven patches are available and you can resume using these systems with a level of confidence.

↑