Ivanti Connect Secure (ICS), formerly known as Pulse Connect Secure, and Ivanti Policy Secure gateways have several vulnerabilities affecting versions 9.x and 22.x[1].
- Command injection [CVE-2023-46805]
- Authentication bypass [CVE-2024-21887]
- CVE-2024-21888
- CVE-2024-21893
Cybersecurity News
February 2, 2024: Critical actions required.
January 12, 2024: Bitsight research started.
Severity
- The command injection vulnerability [CVE-2023-46805] has a CVSS of 8.2 (material).
- The authentication bypass vulnerability [CVE-2024-21887] has a CVSS of 9.1 (severe).
- CVE-2024-21888 has a CVSS of 8.8 (material).
- CVE-2024-21893 has a CVSS of 8.2 (material).
As high as these vulnerabilities are independently scored, an even higher CVSS is likely warranted when these vulnerabilities are used together. Using them together allows for a threat actor to execute arbitrary commands without authentication. Since these devices are likely a significant entrypoint into an organization, the ability to execute arbitrary commands is a serious threat, which may lead to further pivoting deeper into the network, and can result in a wider breach of sensitive data.
What To Do
- We have 17 historical active vulnerability detection capabilities for Pulse Connect. These include, but are not limited to, the following vulnerabilities:
- CVE-2019-11507
- CVE-2020-8218
- CVE-2021-22893
- Ivanti is still producing a patch for the vulnerabilities at this time. While patching will be the best solution when it is available, Ivanti has released mitigation details. Mitigation can impact and/or degrade some features of Ivanti Connect Secure and Ivanti Policy Secure.
- In addition to mitigation, Ivanti also produced an Integrity Checker (ICT) that may be used to potentially detect threat actor activity on your Ivanti device. See information and guidance on running the ICT in their forum[2].
Resources
- CISA, “Ivanti Releases Security Update for Connect Secure and Policy Secure Gateways”
- Ivanti, “KB CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways”
- Ivanti “Security Update for Ivanti Connect Secure and Ivanti Policy Secure Gateways”
- February 1, 2024: Critical actions required.
- January 12, 2024: Published.
Feedback
0 comments
Please sign in to leave a comment.