Network Exploitation of CVE-2023-46805 and CVE-2024-21887 Detected in Ivanti Products (AL01/240111/CSIRT-ITA) – Update

Summary

CVE-2023-46805 and CVE-2024-21887 vulnerabilities have been detected in active online exploitation of Ivanti Connect Secure and Policy Secure Gateways.

Notes:

• Update 01/19/2024: Proof of Concept (PoC) for exploitation of CVE-2023-46805 and CVE-2024-21887 are available online;
• Update 01/31/2024: CVE-2024-21893 is actively being exploited online;
• Update 02/06/2024: Proof of Concept (PoC) for exploitation of CVE-2024-21893 is available online.

Risk

Vulnerability impact estimate on the target community: HIGH/ORANGE (74.23/100)¹.

Type

• Authentication Bypass
• Remote Code Execution

Description

The exploitation of the vulnerabilities CVE-2023-46805 and CVE-2024-21887 related to Ivanti’s Connect Secure and Policy Secure Gateways products has recently been detected.

In detail, the consequent exploitation of these vulnerabilities – with CVSS v3.1 scores of 8.2 and 9.1 respectively of the “Authentication Bypass” and “Command Injection” type – could allow the execution of arbitrary code on the target systems.

Affected Products and Versions

Ivanti Connect Secure

• 9.x
• 22.x

Ivanti Policy Secure

• 9.x
• 22.x

Mitigation Actions

While waiting for the vendor to release the relevant security patches, it is recommended to apply the mitigations indicated in the security bulletin reported in the References section.

Updated 01/31/2024

The vendor has released patches for the vulnerable products, it is recommended to promptly update the affected software. As indicated in the vendor bulletin, it is recommended to perform a factory reset of the devices before applying the patch to prevent potential attackers from gaining persistence.

Updated 02/28/2024

The vendor, as indicated in its bulletin, has released a new version of the Integrity Checking Tool (ICT) software that provides a decrypted snapshot of the appliance. If you have not already done so, we recommend running the tool to detect any evidence of attacker persistence.

Unique Vulnerability Identifiers

CVE-2023-46805

CVE-2024-21887

Updated 01/31/2024

CVE-2024-21888

CVE-2024-21893

References

https://www.ivanti.com/blog/security-update-for-ivanti-connect-secure-and-ivanti-policy-secure-gateways

Updated 16/01/2024

https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day

Updated 22/01/2024

https://forums.ivanti.com/s/article/Recovery-Steps-Related-to-CVE-2023-46805-and-CVE-2024-21887?language=en_US

Updated 31/01/2024

https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways

https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways

https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure

Updated 28/02/2024

https://forums.ivanti.com/s/article/How-to-open-an-Integrity-Scan-Snapshot

https://www.mandiant.com/resources/blog/investigating-ivanti-exploitation-persistence

https://services.google.com/fh/files/misc/ivanti-connect-secure-remediation-hardening.pdf

¹This estimate is made taking into account several parameters, including: CVSS, availability of patches/workarounds and PoC, diffusion of the affected software/devices in the reference community.