Frequently asked questions for four CVEs affecting Ivanti Connect Secure and Policy Secure Gateways, with three of the vulnerabilities having been exploited in the wild as zero-days.

Background

The Tenable Security Response Team has put together this blog to answer Frequently Asked Questions (FAQ) regarding four vulnerabilities affecting Ivanti Connect Secure and Policy Secure Gateways. Three of these four vulnerabilities have been exploited in the wild as zero-days.

FAQ

What are the Ivanti CVEs and when were they disclosed?

As of January 31, there have been four CVEs disclosed by Ivanti throughout January 2024:

CVE-2023-46805 and CVE-2024-21887 were originally disclosed on January 10 and we published a blog post that same day. CVE-2024-21888 and CVE-2024-21893 were disclosed in a security advisory on January 31, the same day this blog post was published.

Which Ivanti products are affected?

Ivanti Connect Secure and Ivanti Policy Secure are impacted by all four of these vulnerabilities. ZTA is also listed in both advisories, however Ivanti’s KB article provides further clarification. According to the article, Ivanti Neurons for ZTA gateways cannot be exploited when deployed in a production environment. However when a gateway “is generated and left unconnected to a ZTA controller, then there is a risk of exploitation on the generated gateway.” Ivanti explains further that while Ivanti Neurons for Secure Access is not vulnerable to these CVEs the gateways being managed are.

What is the significance of the two new CVEs?

The January 31st advisory from Ivanti includes two new CVE’s that were not known when we released our previous blog post. This advisory indicates that as part of its investigation into CVE-2023-46805 and CVE-2024-21887, Ivanti became aware of two new vulnerabilities, CVE-2024-21888 and CVE-2024-21893. While Ivanti’s advisory says that the SSRF issue (CVE-2024-21893) has only been exploited in limited, targeted attacks, they do note that they “expect a sharp increase in exploitation once this information is public – similar to what we observed on 11 January following the 10 January disclosure.”

Which of these four CVE’s have been exploited?

As of January 31, Ivanti is aware of exploitation for three of the four CVEs, which were exploited in the wild as zero-days:

• CVE-2023-46805
• CVE-2024-21887
• CVE-2024-21893

At the time this blog was published, no known exploitation for CVE-2024-21888, the privilege escalation vulnerability affecting the web component of Ivanti Connect Secure and Policy Secure, has been observed. However, It’s important to note that CVE-2023-46805 and CVE-2024-21887 are being exploited in chained attacks, allowing the threat actor to compromise devices without authentication. CVE-2024-21893 can also be exploited without authentication, allowing for limited access to resources.

When was zero-day exploitation first observed for these vulnerabilities?

According to Ivanti and a blog by Volexity, CVE-2023-46805 and CVE-2024-21887 were first exploited in the wild in a chained attack for unauthenticated remote code execution (RCE) as early as December 3, 2023.

While Ivanti has observed limited, targeted attacks using CVE-2024-21893, the newly disclosed SSRF issue, at this time, it’s unclear when this exploitation was first identified.

Are these vulnerabilities being actively exploited?

Yes, as noted above, three of the four vulnerabilities have seen active exploitation. According to an alert from the US Cybersecurity Agency (CISA), multiple threat actors are actively targeting and exploiting affected devices to plant webshells and/or steal credentials. The CISA warning also states that threat actors have identified workarounds to the original mitigations supplied by Ivanti in their first advisory.

A Volexity blog post and Mandiant blog post have been released highlighting exploitation by multiple threat actors and APT groups who have planted webshells and malware on affected devices in widespread, global attacks.

Are patches or mitigations available?

Yes, as of January 31, the first set of patches have been released to address all four of these vulnerabilities on Ivanti Connect Secure versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1 as well as ZTA version 22.6R1.3. Additional patches are expected to be released in phases.

Ivanti’s original advisory stated that the first patches would be released the week of January 22, however on January 26, their advisory was updated to reflect that “The targeted release of patches for supported versions is delayed, this delay impacts all subsequent planned patch releases.”

For those versions which are still impacted and do not yet have a patch available, a KB article from Ivanti provides mitigation guidance, which has been updated several times since its original release. It is important to note that the current guidance recommends a factory reset of the affected appliance before applying the patch in order to prevent threat actors from maintaining persistence on a compromised device. We recommend reviewing the KB article and advisories for the latest information on patching and mitigation steps.

If I’ve applied the mitigation, do I need to apply the patch?

Applying the relevant patch, once available, is the best way to ensure that your device is secured for these vulnerabilities. Ivanti notes that if you have applied the mitigation, it can be removed after the patch has been applied.

An important note listed on the KB article states that no configuration changes should be pushed to the appliance that has the XML mitigation script in place. It’s possible that configuration changes could stop key services from running, thereby impacting the mitigation and limiting its efficacy.

Can I use the internal integrity checker (ICT) to identify malicious activity?

According to Ivanti, the internal ICT does not scan for malware and cannot be used to identify threat activity. Ivanti and CISA both note that threat actors have been observed manipulating the ICT in order to hide traces of their activity, so it cannot be trusted. They do recommend running the external ICT, which is receiving regular updates for new functionality.

Has Tenable released any product coverage for these CVEs?

Yes, product coverage is available and can be found on the individual CVE pages for each of these CVEs:

• CVE-2023-46805
• CVE-2024-21887
• CVE-2024-21888
• CVE-2024-21893

These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline. Note that CVE coverage for CVE-2024-21888 and CVE-2024-21893 is expected to be released soon.

Get more information

• Tenable Blog Post: CVE-2023-46805, CVE-2024-21887: Zero-Day Vulnerabilities Exploited in Ivanti Connect Secure and Policy Secure Gateways
• Ivanti Security Advisory: CVE-2023-46805 and CVE-2024-21887
• Ivanti Security Advisory: CVE-2024-21888 and CVE-2024-21893
• Ivanti KB article

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.