About:
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
Executive Summary
On February 8, 2024, Ivanti released an advisory to their customers making them aware of an XML external entity (XXE) injection vulnerability (CVE-2024-22024) in the Ivanti products Ivanti Connect Secure, Ivanti Policy Secure Gateway, and ZTA Gateway. This vulnerability was discovered by Ivanti as a product of their efforts to patch and mitigate multiple vulnerabilities reported on earlier in the year. No signs of known exploitation of this vulnerability in-the-wild (ITW) have been observed or reported on by Ivanti. Due to the haste in which adversaries such as UNC5221 have taken to exploit multiple vulnerabilities previously reported by Ivanti, as well as CISA’s recent Emergency Directive (ED) 24-01, RedLegg recommends that their customers continue to patch and update any affected Ivanti products within their environments as soon as possible. Ivanti notes that “Customers who applied the patch released on 31 January or 1 February, and completed a factory reset of their appliance, do not need to factory reset their appliances again.”
VULNERABILITIES
Ivanti Connect Secure and Ivanti Policy Secure Authentication Bypass Vulnerability
Identifier: CVE-2024-22024 – CVSS Score 8.3 (HIGH)
Exploit or POC: No instances of active exploitation detected.
Update: Ivanti Forums – CVE-2024-22024
Description: CVE-2024-22024 allows for authentication bypassing. The SAML component of the affected products (see Ivanti Forums for details) contains an XML external entity (XXE) vulnerability. Authentication is not required for successful exploitation. Successful exploitation could allow an adversary to access restricted resources.
Mitigation recommendation: Patching is currently the only method of mitigation. Update to the latest software versions disclosed in the Ivanti Forums – CVE-2024-22024.
RedLegg Action: None at this time.
