Ivanti Discloses Two New Zero-Day Flaws, One Under Active Exploitation

Ivanti has disclosed the discovery of two new high-severity flaws in its Connect Secure and Policy Secure products. Users are urged to implement implement patches.
Ivanti logo

Context

Ivanti has disclosed the discovery of two new high-severity flaws in its Connect Secure and Policy Secure products, one of which is said to have come under targeted exploitation in the wild. This comes after the recent publication of CISA Alert: Ivanti Releases Security Update for Connect Secure and Policy Secure Gateways.

Community Threat Assessment

Due to the confirmed active exploitation of CVE-2024-21893, the RH-ISAC Intelligence Team assesses that the new Ivanti vulnerabilities presents a high and active threat for organizations that utilize any Ivanti products in their ecosystem. RH-ISAC recommends Core Members review the intelligence included in this report and implement the patches below with the factory reset method, as defined by Ivanti below.

Background

The two vulnerabilities are listed below:

CVE-2024-21888 (CVSS score: 8.8) – A privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator.

CVE-2024-21893 (CVSS score: 8.2) – A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

Ivanti has found no evidence of customers being impacted by CVE-2024-21888 so far but acknowledged “the exploitation of CVE-2024-21893 appears to be targeted.”

The current disclosure of these vulnerabilities comes after several other Ivanti vulnerabilities were made public recently:

Recommendations

Ivanti has released fixes for Connect Secure versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1, and ZTA version 22.6R1.3.

Ivanti has also recommended, as a best practice, that customers factory reset their appliance before applying the patch to prevent the threat actor from gaining upgrade persistence in the secure environment. Ivanti customers should expect this process to take 3 to 4 hours.

As temporary workarounds to address CVE-2024-21888 and CVE-2024-21893, users are also recommended to import the “mitigation.release.20240126.5.xml” file.

 

More Recent Blog Posts

2024 RH-ISAC Cyber Intelligence Summit logo

Register for RH-ISAC Summit

Our biggest event of the year is coming up soon! Join RH-ISAC April 9-11 in Denver for our annual three-day conference featuring interactive, practitioner-led discussions, breakout sessions, and keynote presentations.