On February 14, 2024, Ivanti announced the release of important software updates aimed at securing its Connect Secure and Policy Secure gateways. Organizations using these products are encouraged to consult Ivanti's newly updated Knowledge Base (KB) article for detailed information regarding the updates that address vulnerabilities.
CISA, the Cybersecurity and Infrastructure Security Agency, has strongly recommended that organizations adhere to the latest software guidance issued by Ivanti. "We urge organizations to follow the updated guidance—including software updates—that Ivanti has published," said a CISA spokesperson.
"We urge organizations to follow the updated guidance—including software updates—that Ivanti has published,"
Among the newly disclosed vulnerabilities is an XML external entity injection (XXE) flaw, identified as CVE-2024-22024. This issue impacts several supported versions of Ivanti’s security products, specifically Policy Secure versions 22.5R1.1 and ZTA version 22.6R1.3, as well as Connect Secure versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1, and 22.5R2.2.
CISA also highlighted the importance of a Supplemental Direction to its Emergency Directive addressing Ivanti vulnerabilities. Although this directive primarily targets Federal Civilian Executive Branch (FCEB) agencies, CISA advocates for all organizations to review the guidance and implement it where relevant. "While the directive is tailored for FCEB agencies, we encourage all parties to be proactive in evaluating their own systems," the spokesperson affirmed.
"While the directive is tailored for FCEB agencies, we encourage all parties to be proactive in evaluating their own systems,"
Earlier updates on January 31, 2024, noted additional vulnerabilities affecting all supported versions of both Ivanti products. These include a server-side request forgery vulnerability (CVE-2024-21893) and a privilege escalation vulnerability (CVE-2024-21888). This sequence of vulnerabilities presents significant threats as actors exploit these to gain unauthorized access or increase their privileges within network systems.
Threat actors are actively targeting weaknesses in Ivanti Connect Secure and Policy Secure gateways to harvest credentials and establish webshells. "We have observed that some threat actors are employing advanced strategies to bypass existing mitigations and detection techniques," said a cybersecurity analyst. This issue is compounded by threats that have figured out how to evade external integrity checks, obscuring traces of their intrusions.
"We have observed that some threat actors are employing advanced strategies to bypass existing mitigations and detection techniques,"
CISA urges organizations that have relied on Ivanti Connect Secure and Policy Secure gateways in recent weeks to adopt a vigilant approach through continuous threat hunting. Specifically, organizations should monitor any systems connected to these Ivanti devices closely. "It's essential to supervise authentication, account usage, and identity management services to ensure they are safeguarded against potential breaches," the CISA representative stated.
"It's essential to supervise authentication, account usage, and identity management services to ensure they are safeguarded against potential breaches,"
To bolster their defenses further, organizations are advised to isolate vulnerable systems from broader enterprise resources as much as possible. CISA strongly emphasizes that after the release of patches becomes available, implementing them should be a priority to mitigate risks posed by these vulnerabilities.
Given that cybersecurity threats are increasingly sophisticated, organizations must remain vigilant. As threat actors evolve their methods, the importance of timely updates and adherence to best practices in cyber defense cannot be understated. CISA will continue to monitor the situation, providing updates and further guidance as necessary to ensure that organizations are equipped to handle potential security challenges.
