NCSC - Exploitation of vulnerabilities affecting Ivanti Connect Secure & Policy Secure

Organisations are encouraged to take immediate action to mitigate vulnerabilities affecting Ivanti

Organisations are encouraged to take immediate action to mitigate vulnerabilities affecting Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) gateways (CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893), and follow the latest vendor advice.

What has happened?

Ivanti has published an updated advisory detailing four vulnerabilities affecting Connect Secure and Policy Secure gateways. Ivanti is aware of active exploitation of some of these vulnerabilities.

CVE-2023-46085 — an authentication bypass vulnerability in the web component of ICS (9.x, 22.x) and IPS which allows a remote attacker to access restricted resources by bypassing control checks.

CVE-2024-21887 — a command injection vulnerability in web components of ICS (9.x, 22.x) and IPS which allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation doesn't require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system.

CVE-2024-21888 — a privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator.

CVE-2024-21893 — a server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x)
and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

The NCSC will continue to monitor for any impact of these vulnerabilities on UK organisations.

Who is affected?

Organisations using Ivanti Connect Secure and Policy Secure gateways.

What should I do?

The NCSC recommends following vendor best-practice advice to mitigate vulnerabilities. In this case, if you use Ivanti Connect Secure and Policy Secure gateways, you should take these priority actions:

1. Run the Ivanti external Integrity Checker Tool (ICT). The ICT is a snapshot of the current state of the appliance and cannot necessarily detect threat actor activity if they have returned the appliance to a clean state. The ICT does not scan for malware or IoCs.

2. Check for compromise using the detection steps and indicators of compromise (IoCs) detailed in the Ivanti KB article, the Volexity blog and the Mandiant blog.

3. If you believe you have been compromised and are in the UK, you should report it to the NCSC.

4. If an update for your version is not currently available, install the vendor temporary workaround.

5. Monitor the Ivanti KB article and install the security update once it is available for your version. The vendor recommends performing a factory reset before installing the update.

6. Perform continuous monitoring and threat hunting activities.

NCSC guidance, services and tools

The NCSC provides a range of free guidance, services and tools that help to
secure systems.

Follow NCSC guidance including preventing lateral movement.

Sign up to the free NCSC Early Warning service to receive notifications of potential cyber attacks on your network. If you are an Early Warning user already, please check your MyNCSC portal.

UK central government departments can take advantage of the NCSC's Host Based Capability.

The NCSC's Vulnerability Disclosure Toolkit helps organisations of all sizes with the essential components of implementing a vulnerability disclosure process.

PUBLISHED
11 January 2024