About:
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
Executive Summary
On January 31, 2024, Ivanti released an advisory to their customers making them aware of two vulnerabilities (CVE-2024-21888 and CVE-2024-21893) in the Ivanti products previously sold by Pulse Secure, Ivanti Connect Secure and Ivanti Policy Secure Gateway. These vulnerabilities were discovered by Ivanti as a product of their efforts to patch and mitigate two vulnerabilities reported on earlier in the year on January 10, 2024, (CVE-2024-21887 and CVE-2023-46805).
Ivanti has reported that they have not observed any evidence of exploitation of CVE-2024-21888 at this time and has observed limited exploitation of CVE-2024-21893 in targeted attacks to “access certain restricted resources without authentication”. As observed with the earlier vulnerabilities reported by Ivanti, they anticipate that with their recent disclosure and acknowledgement of CVE-2024-21893 that more Ivanti customers will be affected by adversaries leveraging this vulnerability.
While Ivanti has been issuing patches for these vulnerabilities in a staggered scheduled approach, they have also released mitigation techniques that could be leveraged prior to the deployment of patches. Due to the haste in which adversaries like UNC5221 have been evolving their techniques to exploit vulnerabilities in Ivanti products, if you are unable to currently patch, it is imperative to utilize the mitigation steps outlined by Ivanti.
To identify if you have been affected by adversaries leveraging these vulnerabilities, Ivanti’s external Integrity Checking Tool (ICT) must be used as adversaries have been reported to modify the built-in ICT to conceal signs of exploitation.
If you identify signs of exploitation, engage Ivanti to coordinate with their team to identify next steps for mitigating your affected device, and reset user credentials for users that may have authenticated to the affected Ivanti device during this time.
VULNERABILITIES
Ivanti Connect Secure and Policy Secure Privilege Escalation Vulnerability
Identifier: CVE-2024-21888 – CVSS Score 8.8 (HIGH)
Exploit or POC: None at this time.
Update: Ivanti Forums – CVE-2024-21888
Description: CVE-2024-21888 allows for elevation of privileges. The web component of the Ivanti Connect Secure and Ivanti Policy Secure products contains a privilege of escalation vulnerability (see applicable version number here). Successful exploitation of this vulnerability could allow an adversary to elevate privileges to that of an administrator.
Mitigation recommendation: Mitigation steps available here – KB Article
RedLegg Action: None at this time.
Ivanti Connect Secure and Policy Secure Server-Side Request Forgery Vulnerability
Identifier: CVE-2024-21893 – CVSS Score 8.2 (HIGH)
Exploit or POC: Yes (Actively Being Exploited)
Update: Ivanti Forums – CVE-2024-21893
Description: CVE-2024-21893 allows for server-side request forgery. The SAML component of the Ivanti Connect Secure and Policy Secure products contains a server-side request forgery vulnerability (see applicable version number here). Successful exploitation of this vulnerability could grant an unauthenticated adversary access to restricted resources.
Mitigation recommendation: Mitigation steps available here – KB Article
RedLegg Action: None at this time.
