Vulnerability Awareness Updates – Ivanti Patches Available, but Two New Vulnerabilities Disclosed

Reminder: Action may be required if your utility uses affected versions of Ivanti Connect Secure and Policy Secure Gateways. Please have systems administrators address promptly, if they have not already.

Additionally, impacted utilities are strongly encouraged to conduct continuous threat hunting, regardless of the mitigations implemented and regardless of external or internal ICT results.

Ivanti has begun making patches widely available for some impacted products. However, two new vulnerabilities (CVE-2024-21893 and CVE-2024-21888) have also been disclosed that are now thrown into the mix, including one (CVE-2024-21893) that was exploited as a zero-day. WaterISAC has been tracking the Ivanti vulnerabilities closely and providing relevant updates. Please see below for prior notifications.

According to Ivanti, patches are available for Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1) and ZTA version 22.6R1.3. For all remaining supported versions, Ivanti has stated they will be patched on a staggered schedule, and there are also new mitigations available for download. For detailed instructions on how to apply the mitigations and patches, visit the Ivanti KB article.

Regarding the new vulnerabilities, they impact Ivanti Connect Secure, Policy Secure, and ZTA. The “zero-day” (CVE-2024-21893) exploited prior to the patch, is a server-side request forgery (SSRF) vulnerability which enables attackers to bypass authentication and access restricted resources. An additional flaw (CVE-2024-21888) within the web component of the gateway enables malicious actors to escalate to admin privileges. For more information, access Ivanti or Bleeping Computer.

Analyst Comment (Jennifer Lyn Walker): There has been a lot of research done on these vulnerabilities and the known activity and exploitation. Systems administrators and security analysts are encouraged to review the additional resources for greater understanding and to determine potential impact at your utility. This post from Tenable may be useful: CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893: Frequently Asked Questions for Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways.

To help sysadmins keep track of which vulnerabilities have been patched and which are still outstanding but include mitigations, Tenable (referenced above) provides a good overview. Additionally, CISA has updated its guidance: Updated New Mitigations to Defend Against Exploitation of Ivanti Connect Secure and Policy Secure Gateways. Finally, as this situation has been evolving, it is important for sysadmins to closely track Ivanti for relevant updates and information.

Additional resources shared by WaterISAC regarding Ivanti vulnerabilities:

• Update January 30, 2024: (TLP:CLEAR) WaterISAC Advisory: CISA Issues Emergency Directive on Ivanti Vulnerabilities
• Ivanti Connect Secure Activity (Members Only)
• Vulnerability Notification – Active Zero-Day Exploitation of Ivanti Connect Secure and Policy Secure Gateways (Update: January 16, 2024)