U.S. Cybersecurity and Infrastructure Security Agency (CISA) has gone ahead to disclosed about a widespread of active exploitation on Ivanti Connect Secure and Ivanti Policy Secure solutions. The cybersecurity organisation published on its website, and also took to X (former twitter), to notify the general public of the active exploitation of these products by malicious actors.
The vulnerability which is considered to be critical, and assigned the record CVE-2023-46805, and CVE-2024-21887, in addition to two other new CVE’s CVE-2024-21888 & CVE-2024-21893 is said to have a security flaw that is associated with Authentication bypass, and execution of arbitrary commands.
CISA noted that:
“Successful exploitation of the vulnerabilities in these affected products allows a malicious threat actor to move laterally, perform data exfiltration, and establish persistent system access, resulting in full compromise of target information systems.”
In the bid to safeguard organizations who are end users of these products, CISA has gone ahead to activate its Emergency Directives ED 24-01, while notifying the public that these incidence poses an unacceptable risk to the Federal Civilian Executive Branch (FCEB) agencies and hence, requires emergency action.
This conclusion was drawn based on the observation of a widespread of these attacks from multiple threat actors.
Ivanti has also gone ahead to address this issue, by releasing a temporary XML file, with security updates for these CVE’s. This file can be imported into products that are impacted by this vulnerability, and is said to install security configurations pending a release of a more stable update.
“ This Directive requires agencies to implement Ivanti’s published mitigation immediately to the affected products in order to prevent future exploitation. As this initial action does not remedy an active or past compromise, agencies are also required to run Ivanti’s External Integrity Checker Tool and take additional steps if indications of compromise are detected. ”
Furthermore the Emergency directive, is in line with CISA’s Binding Operation Directives, 22-01, and in no way in conflict with previous requirements.
A List of Quick Action to be taken according to CISA:
U.S. Cybersecurity and Infrastructure Security Agency (CISA) listed a series of quick action expected off the users of Invanti Products.
In its directive CISA disclosed that:
“ Agencies running affected products (Ivanti Connect Secure or Ivanti Policy Secure solutions) are required to perform the following tasks ”
which are listed below:
- Users are expected to download and import the “mitigation.release.20240107.1.xml,” via Ivanti’s download portal, into the affected product. This is said to disable a list of the product management feature.
- After importing the XML file, users are required to run the Ivanti’s external integrity checker tool irrespective of current version, which then reboots the device.
- If an IoC is noticed, users should immediately email the cybersecurity institution.
- Additionally removing the compromised device from its agency network, and initiating a first responder actions, in order to preserve data from compromised devices are suggested as well.
- more recommendations includes revoking and reissuing of any stored certificates, reseting the admin enabled password, and stored API keys.
Ivanti’s products has in recent times become a target for treat actors, due to its numerous vulnerabilities, and the organization has been actively working to address these issues by releasing updates and taking other necessary actions.
These security flaws, have the potential to pose a significant threat to the security of affected systems, and it is crucial that they are mitigated promptly to prevent any potential exploitation. We at Fixitgearware Security, hope that Ivanti can effectively resolve these issues and put an end to these threats as soon as possible, ensuring the continued protection of its products, and users’ information systems.
Remember to always stay safe, and be vigilant 🛡️!
Put your comments below in the comment section on your thoughts about this.