Ivanti releases patches for VPN zero-days, discloses two more high-severity vulns

Ivanti has finally released the first round of patches for vulnerability-stricken Connect Secure and Policy Secure gateways, but in doing so has also found two additional zero-days, one of which is under active exploitation.

The news comes days after Ivanti, which releases its patches on a staggered schedule, said the first batch of fixes – due last week – was delayed, and many versions remain without official fixes.

Patches are now available for versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1, and ZTA version 22.6R1.3, which will be welcome news to admins fearful of becoming the next target among a growing number of victims.

Admins are advised "out of an abundance of caution" to also factory-reset their devices before applying the patch. This is to prevent any possibility of an attacker gaining upgrade persistence. Ivanti said the process will take up to four hours to complete.

Given the state of exploitation of these vulnerabilities, it goes without saying that these patches should be applied as soon as possible.

To recap, earlier this month security researchers at Volexity disclosed the two-bug zero-day exploit they believed to be carried out by an unknown group with a suspected China nexus. The researchers said the vulnerabilities make it "trivial" for remote unauthenticated attackers to achieve code execution.

At the time, Ivanti said fewer than ten victims were believed to have been breached but this quickly increased and was under mass exploitation within days. 

Ivanti also said it would develop patches not by version order, but according to the version with the most installs. Patches were expected to drop between January 22 and February 19, but some of these have since been delayed slightly.

Customers in the meantime were advised to apply the mitigation available via the Ivanti download portal and use the external version of Ivanti's internal integrity checker (ICT), alongside proactive threat-hunting practices to monitor for suspected compromises.

To make matters worse, this week the US Cybersecurity and Infrastructure Security Agency (CISA) said Ivanti's mitigation was bypassed by some sophisticated attackers.

"Threat actors are continuing to leverage vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways to capture credentials and/or drop webshells that enable further compromise of enterprise networks," the alert reads.

"Some threat actors have recently developed workarounds to current mitigations and detection methods and have been able to exploit weaknesses, move laterally, and escalate privileges without detection. CISA is aware of instances in which sophisticated threat actors have subverted the external ICT, further minimizing traces of their intrusion."

CISA suggests organizations should continue to proactively hunt for threats to systems connected to vulnerable Ivanti devices. It also advised monitoring account authentication, usage, and identity management services that could be exposed, isolating them from enterprise resources where possible.

In releasing today's round of patches, Ivanti also updated its mitigation in a bid to keep attackers at bay for now. This can be applied via the download portal like the last one.

• US shorts China's Volt Typhoon crew targeting America's criticals
• Ivanti and Juniper Networks accused of bending the rules with CVE assignments
• BreachForums admin 'Pompourin' sentenced to 20 years of supervised release
• Russians invade Microsoft exec mail while China jabs at VMware vCenter Server

The vendor didn't mention any changes being made to the external ICT, however, despite current intelligence indicating attackers can get around its detection capabilities.

More zero-days?

That mitigation will also apply to the two additional zero-days announced today which affect all supported versions of Connect Secure, Policy Secure, and ZTA gateways.

"Upon learning of these vulnerabilities, we immediately mobilized resources and the patch is available now via the standard download portal for Ivanti Connect Secure," said Ivanti in an advisory.

"It is critical that you immediately take action to ensure you are fully protected."

Tracked as CVE-2024-21888 and CVE-2024-21893, they both carry high-severity CVSS scores. Ivanti's descriptions for both are:

• CVE-2024-21888: A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator

• CVE-2024-21893: A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication

Ivanti said there is no evidence to suggest that CVE-2024-21888 is under active exploitation, but a small number of customers have been hit by the server-side request forgery flaw.

It's not clear if the discovery of these two additional vulnerabilities was the cause of the overall delay in the patch schedule. The Register has asked Ivanti to comment.

A spokesperson at Ivanti sent a statement:

"The security of our customers is our top priority. As part of our ongoing investigation, we discovered two additional vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure. We included a fix for these vulnerabilities and previously identified vulnerabilities in the patch released today, and patches planned for release for additional versions will also include a comprehensive fix. And the patches released on January 31 cover the majority of our customers. We have also provided a new mitigation in the best interest of customers while the remaining patch versions are in development.

"We strongly encourage customers to apply the patch for their version as it becomes available. While additional patch versions are in development, they should apply the mitigation and run the internal and external ICT." ®