REDLEGG BLOG
Emergency Security Bulletin | RedLegg | 96Bravo

Emergency Security Bulletin: Ivanti Connect Secure & Policy Secure Gateway Vulnerabilities

1/12/24 12:46 PM  |  by RedLegg Blog

About:

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.

Executive Summary

On January 10, 2024, Ivanti released an advisory to their customers making them aware of two vulnerabilities (CVE-2024-21887 and CVE-2023-46805) in the Ivanti products previously sold by Pulse Secure, Ivanti Connect Secure and Ivanti Policy Secure Gateway. Known exploitation of these vulnerabilities has been reported by Volexity to have occurred as early as December 3, 2023. Currently there are no patches for these vulnerabilities, though Ivanti has outlined mitigation techniques that could be used to stave off attacks against these products. Ivanti reports that they expect to make some of the first patches for these vulnerabilities available during the week of January 22nd, 2024, with the latest patch expected to be made available on February 19th, 2024.

If your organization is unable to enact the mitigation techniques outlined by Ivanti, RedLegg advises their customers to remove these products from production until a patch is made available by the vendor.

 

VULNERABILITIES

Ivanti Connect Secure and Policy Secure Command Injection Vulnerability

Identifier: CVE-2024-21887 – CVSS Score 9.1 (CRITICAL)
Exploit or POC: Yes (Actively Being Exploited)
Security Update: Ivanti Forums – Security Update CVE-2024-21887 (Command Injection)Description: CVE-2024-21887 allows for command injection. The web components of Ivanti Connect Secure and Ivanti Policy Secure contains a command injection vulnerability that could allow an authenticated user with administrative access the ability to send specially crafted requests to trigger remote code execution. Exploitation is achievable via internet connection.
Mitigation recommendation: Mitigation steps available here – KB Article Workaround CVE-2024-21887 (Command Injection)RedLegg Action: None at this time.

 

Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability

Identifier: CVE-2023-46805 – CVSS Score 8.4 (HIGH)
Exploit or POC: Yes (Actively Being Exploited)
Security Update: Ivanti Forums – Security Update CVE-2023-46805 (Authentication Bypass) Description: CVE-2023-46805 allows for authentication bypass. The web components of Ivanti Connect Secure and Ivanti Policy Secure contains an authentication bypass vulnerability that could allow a remote adversary the ability to access unauthorized resources via control check bypass. 
Mitigation recommendation: Mitigation steps available here – KB Article Workaround CVE-2023-46805 (Authentication Bypass)RedLegg Action: None at this time.

 

Get Blog Updates

Related Articles

Emergency Security Bulletin - Multiple Cisco Vulnerabilities Bulletin, Vulnerability Bulletins

Emergency Security Bulletin - Multiple Cisco Vulnerabilities

About: RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide ...
Emergency Security Bulletin - NVIDIA Container Toolkit Remote Code Execution Vulnerability Bulletin, Vulnerability Bulletins

Emergency Security Bulletin - NVIDIA Container Toolkit Remote Code Execution Vulnerability

About: RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide ...
Critical Security Vulnerabilities Bulletin