Context
Ivanti has disclosed the discovery of two new high-severity flaws in its Connect Secure and Policy Secure products, one of which is said to have come under targeted exploitation in the wild. This comes after the recent publication of CISA Alert: Ivanti Releases Security Update for Connect Secure and Policy Secure Gateways.
Community Threat Assessment
Due to the confirmed active exploitation of CVE-2024-21893, the RH-ISAC Intelligence Team assesses that the new Ivanti vulnerabilities presents a high and active threat for organizations that utilize any Ivanti products in their ecosystem. RH-ISAC recommends Core Members review the intelligence included in this report and implement the patches below with the factory reset method, as defined by Ivanti below.
Background
The two vulnerabilities are listed below:
CVE-2024-21888 (CVSS score: 8.8) – A privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator.
CVE-2024-21893 (CVSS score: 8.2) – A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.
Ivanti has found no evidence of customers being impacted by CVE-2024-21888 so far but acknowledged “the exploitation of CVE-2024-21893 appears to be targeted.”
The current disclosure of these vulnerabilities comes after several other Ivanti vulnerabilities were made public recently:
Recommendations
Ivanti has released fixes for Connect Secure versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1, and ZTA version 22.6R1.3.
Ivanti has also recommended, as a best practice, that customers factory reset their appliance before applying the patch to prevent the threat actor from gaining upgrade persistence in the secure environment. Ivanti customers should expect this process to take 3 to 4 hours.
As temporary workarounds to address CVE-2024-21888 and CVE-2024-21893, users are also recommended to import the “mitigation.release.20240126.5.xml” file.