CVE-2023-46805 and CVE-2024-21887 Threatens Ivanti Users (Copyright © 2024) — CISA published an emergency directive in response to recent Ivanti vulnerabilities.

The Cybersecurity and Infrastructure Security Agency (CISA) has observed that vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure solutions are being actively exploited. These vulnerabilities, also known as “affected products,” can be exploited by malicious actors to move laterally within a system, steal data and gain persistent access. If successfully exploited, these vulnerabilities can result in the complete compromise of targeted information systems.

Due to the widespread exploitation of these vulnerabilities by multiple threat actors, their prevalence in federal enterprise systems, the high risk of compromise to agency information systems, the potential impact of a successful breach and the complexity of proposed mitigations, CISA has determined that immediate action is necessary to address this unacceptable risk for Federal Civilian Executive Branch (FCEB) agencies.

On January 10th, 2024, Ivanti released information regarding two specific vulnerabilities found in the affected products;

CVE 2023 46805; This vulnerability affects the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. It allows remote attackers to bypass control checks and gain unauthorized access to restricted resources.

CVE 2024 21887; This vulnerability involves command injection within the web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. This vulnerability, which can be exploited online, allows an authorized administrator to send specially designed requests and execute any desired commands on the impacted products.

When combined, these vulnerabilities enable a malicious actor to execute any desired commands on a susceptible product. Ivanti has provided a temporary solution in the form of an XML file that can be imported into affected products to make necessary configuration changes until a permanent update is available.

According to this Directive, agencies must promptly implement Ivanti’s published solution on the affected products to prevent future exploitation. However, it is important to note that this initial action does not address any current or past compromises. Therefore, agencies are also required to run Ivanti’s External Integrity Checker Tool and take additional measures if any signs of compromise are detected.

The actions mandated in this Emergency Directive align with the requirements outlined in CISA’s Binding Operational Directive 22 01 and do not contradict any previous mandates.

Mandatory Actions

Agencies utilizing affected products (Ivanti Connect Secure or Ivanti Policy Secure solutions) must carry out the following tasks;

  1. Download and import “mitigation.release.20240107.1.xml” from Ivanti’s download portal into the impacted product as soon as possible and no later than 11;59 pm EST on Monday, January 22nd, 2024.
    Please be aware that once the XML file is imported, it can have an impact on several product management features. It is crucial for agencies to carefully follow Ivanti’s instructions to ensure a successful import and avoid any service disruptions.
  2. Right after importing the XML file, make sure to download and execute Ivanti’s External Integrity Checker Tool. Please note that even if you have a newer version of the affected software with an integrated internal integrity checker, it is still necessary to download and run this external tool. Running the External Integrity Checker Tool will cause the affected product to reboot.
  3. If you detect any signs of compromise;
    1. Immediately report these indications of compromise to CISA by contacting [email protected].
    2. Remove compromised products from your agency networks.
    3. Initiate incident analysis and preserve data from the compromised devices by creating forensic hard drive images.
    4. Investigate for any further signs of compromise.
  4. To bring a compromised product back into service, follow these steps;
    1. Reset the device with the affected Ivanti solution software to its factory default settings.
    2. Download “mitigation.release.20240107.1.xml” from Ivanti’s download portal.
    3. Import this XML file into the affected product through Ivanti’s download portal.
    4. Please note that importing this XML file may have an impact on certain product management features, so it is essential for agencies to carefully adhere to Ivanti’s instructions in order to ensure a proper import process and avoid any service disruptions.

To fully restore a compromised product and bring it back into operation, agencies must also follow Ivanti’s instructions and perform the following additional actions on all affected products;

  1. Revoke and replace any stored certificates.
  2. Reset the administrator enable password.
  3. Reset any stored API keys.
  4. Change the password for any local user defined on the gateway, including service accounts used for authentication server configurations.
  5. Install updates that address the two vulnerabilities mentioned in this Directive as they become available, ensuring that they are applied no later than 48 hours after their release by Ivanti.
  6. One week after this Directive is issued, provide CISA with a comprehensive inventory of all instances of Ivanti Connect Secure and Ivanti Policy Secure products on agency networks, including details of actions taken and outcomes achieved.

Please note that these steps are crucial to ensure the effective restoration of compromised products and their secure operation within agency networks.

For more information, see the CISA website.