Skip to main content

Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure Gateways

Ivanti has disclosed two zero-day vulnerabilities in Ivanti Connect Secure (ICS) and Ivanti Policy Secure that can allow remote attackers to execute arbitrary commands on targeted devices

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Ivanti has disclosed two zero-day vulnerabilities in Ivanti Connect Secure (ICS) and Ivanti Policy Secure that can allow remote attackers to execute arbitrary commands on targeted devices


Threat details

Introduction

Ivanti has released a security advisory to address two zero-day vulnerabilities - tracked as CVE-2023-46805 and CVE-2024-21887 - in Ivanti Connect Secure (ICS), formerly Pulse Connect Secure, and Ivanti Policy Secure gateways.

  • CVE-2023-46805 is an authentication bypass vulnerability in the web component of ICS and Ivanti Policy Secure that could allow a remote attacker access to restricted resources by bypassing control checks.
  • CVE-2024-21887 is a command injection vulnerability in Ivanti ICS and Ivanti Policy Secure that could allow an authentication attacker with administrative privileges to send specially crafted requests and execute arbitrary commands.

If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables an attacker to craft malicious requests and execute arbitrary commands on the system.

Active exploitation of CVE-2023-46805 and CVE-2024-21887

Ivanti are aware of active exploitation of CVE-2023-46805 and CVE-2024-21887. The US Cybersecurity and Infrastructure Security Agency (CISA) have added CVE-2023-46805 and CVE-2024-21887 to their Known Exploited Vulnerability Catalog based on evidence of active exploitation in the wild.

Volexity have reported that these vulnerabilities are now widely exploited, with over 1,700 devices worldwide showing evidence of compromise.


Threat updates

Date Update
16 Jan 2024 Vulnerabilities are now widely exploited

The cyber alert has been updated to reflect this change.


Remediation advice

Affected organisations are required to review the Ivanti Knowledgebase article and apply the recommended mitigation as soon as possible.

Organisations with vulnerable devices are also highly encouraged to review Volexity's blog post for guidance on how to detect evidence of prior exploitation.

Ivanti have advised that relevant patches will be released in a staggered schedule, with the first version targeted to be available to customers the week of 22 January and the final version targeted to be available the week of 19 February. NHS Threat Updates will be sent in line with the release of relevant patches, and further Cyber Alerts may be issued if required.


Remediation steps

Type Step
Action

CVE-2023-46805 and CVE-2024-21887 can be mitigated by importing mitigation.release.20240107.1.xml file via the download portal


https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US


Last edited: 16 January 2024 3:31 pm