Our Blog
CISA - ED 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities
Emergency Directive (ED) - Supplemental Direction V1: ED 24-01: Mitigate Ivanti Connect Secure and
Background
This Supplemental Direction supersedes required action 4 in Emergency Directive (ED) 24-01 Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities and applies to any Federal agency running affected products (Ivanti Connect Secure or Ivanti Policy Secure solutions).
Required Actions
1. Agencies running affected products—Ivanti Connect Secure or Ivanti Policy Secure solutions—are required to immediately perform the following tasks:
a) As soon as possible and no later than 11:59PM on Friday February 2, 2024, disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks.
b) Continue threat hunting on any systems connected to—or recently connected to—the affected Ivanti device.
c) Monitor the authentication or identity management services that could be exposed.
d) Isolate the systems from any enterprise resources to the greatest degree possible.
e) Continue to audit privilege level access accounts.
2. To bring a product back into service, agencies are required to perform the following actions:
a) Export configuration settings.
b) Complete a factory reset per Ivanti’s instructions
c) Rebuild the device per Ivanti’s instructions AND upgrade to one of the following supported software versions through Ivanti’s download portal (there is no cost to upgrade):
i) 9.1R18.3
ii) 22.4R2.2
iii) 22.5R1.1
iv) 9.1R14.4
v) 9.1R17.2
3. Reimport the configuration.
If mitigation XML files were applied, review the Ivanti KB and customer portal for directions on how to remove the mitigations after upgrading.
a) Revoke and reissue any connected or exposed certificates, keys, and passwords, to include the following:
b) Reset the admin enable password.
c) Reset stored application programming interface (API) keys.
d) Reset the password of any local user defined on the gateway, including service accounts used for auth server configuration(s).
By 11:59PM EST Monday February 5, 2024, agencies must report to CISA (using an updated CyberScope template from CISA) agency status across the above actions. Agencies are required to provide updates to CISA on these actions, upon request and until complete.
4. Agencies running the affected products must assume domain accounts associated with the affected products have been compromised. By March 1, 2024, agencies must:
a) Reset passwords twice for on premise accounts, revoke Kerberos tickets, and then revoke tokens for cloud accounts in hybrid deployments.
b)For cloud joined/registered devices, disable devices in the cloud to revoke the device tokens.
By 11:59PM EST Friday March 1, 2024, agencies must report to CISA (using an updated CyberScope template from CISA) agency status across all actions in this Supplemental Direction.
CISA Actions
1. CISA will provide agencies with a template that will be used for reporting agency actions following the issuance of this Supplemental Direction.
2. CISA will continue efforts to identify instances and potential compromises associated with this threat activity, provide partner notifications, and will issue additional guidance and direction, as appropriate.
3. CISA will provide technical assistance to agencies who are without internal capabilities sufficient to comply with this Supplemental Direction.
By June 1, 2024, CISA will provide a report to the Secretary of Homeland Security, the National Cyber Director, the Director of the Office of Management and Budget, and the Federal Chief Information Security Officer identifying cross-agency status and outstanding issues.
Duration
This Supplemental Direction remains in effect until CISA determines that all agencies operating affected software have performed all required actions from this Direction or the Direction is terminated through other appropriate action.
Additional Information
Visit https://www.cisa.gov/news-events/directives or contact the following for:
General information, assistance, and reporting –
Reporting indications of compromise –