About:
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
Executive Summary
On January 10, 2024, Ivanti released an advisory to their customers making them aware of two vulnerabilities (CVE-2024-21887 and CVE-2023-46805) in the Ivanti products previously sold by Pulse Secure, Ivanti Connect Secure and Ivanti Policy Secure Gateway. Known exploitation of these vulnerabilities has been reported by Volexity to have occurred as early as December 3, 2023. Currently there are no patches for these vulnerabilities, though Ivanti has outlined mitigation techniques that could be used to stave off attacks against these products. Ivanti reports that they expect to make some of the first patches for these vulnerabilities available during the week of January 22nd, 2024, with the latest patch expected to be made available on February 19th, 2024.
If your organization is unable to enact the mitigation techniques outlined by Ivanti, RedLegg advises their customers to remove these products from production until a patch is made available by the vendor.
VULNERABILITIES
Ivanti Connect Secure and Policy Secure Command Injection Vulnerability
Identifier: CVE-2024-21887 – CVSS Score 9.1 (CRITICAL)
Exploit or POC: Yes (Actively Being Exploited)
Security Update: Ivanti Forums – Security Update CVE-2024-21887 (Command Injection)Description: CVE-2024-21887 allows for command injection. The web components of Ivanti Connect Secure and Ivanti Policy Secure contains a command injection vulnerability that could allow an authenticated user with administrative access the ability to send specially crafted requests to trigger remote code execution. Exploitation is achievable via internet connection.
Mitigation recommendation: Mitigation steps available here – KB Article Workaround CVE-2024-21887 (Command Injection)RedLegg Action: None at this time.
Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability
Identifier: CVE-2023-46805 – CVSS Score 8.4 (HIGH)
Exploit or POC: Yes (Actively Being Exploited)
Security Update: Ivanti Forums – Security Update CVE-2023-46805 (Authentication Bypass) Description: CVE-2023-46805 allows for authentication bypass. The web components of Ivanti Connect Secure and Ivanti Policy Secure contains an authentication bypass vulnerability that could allow a remote adversary the ability to access unauthorized resources via control check bypass.
Mitigation recommendation: Mitigation steps available here – KB Article Workaround CVE-2023-46805 (Authentication Bypass)RedLegg Action: None at this time.