Alert: Connect Secure Zero-Days Used in Attacks, Says Ivanti

Two Connect Secure (ICS) and Policy Secure zero-days that have been exploited in the field and allow remote attackers to execute arbitrary instructions on targeted gateways have been made public by Ivanti. The first security weakness (CVE-2023-46805) is a web component of the gateways' authentication bypass, which allows attackers to go beyond control checks and access resources that are blocked.

However, the second vulnerability (reported as CVE-2024-21887) is a command injection flaw that allows authorized administrators to submit specially constructed requests to susceptible appliances, thereby enabling them to execute arbitrary commands. Mandiant & Volexity have discovered that attackers can execute arbitrary commands on all supported versions of the impacted products by chaining the two zero days.

"If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system.We are providing mitigation now while the patch is in development to prioritize the best interest of our customers. It is critical that you immediately take action to ensure you are fully protected." Ivanti stated

Patch availability, according to the business, will occur gradually, with "the first version targeted to be available to customers the week of 22 January and the final version targeted to be available the week of 19 February."

Zero-Days Exploited in Attacks

The two zero-days have reportedly already been used in the wild in assaults aimed at a limited number of clients, according to Ivanti. The attacker is thought to be a threat actor with Chinese state support, according to threat intelligence firm Volexity, which discovered the zero-days being used in the wild in December.

"We are aware of less than 10 customers impacted by the vulnerabilities. We are unable to discuss the specifics of our customers. We have seen evidence of threat actors attempting to manipulate Ivanti's internal integrity checker (ICT). Out of an abundance of caution, we are recommending that all customers run the external ICT. Based on our analysis, Ivanti has not found any indication that this vulnerability was introduced into our code development process maliciously. Ivanti does not indicate that it has been compromised." the company disclosed.

As stated by Shodan, more than 15,000 Connect Secure (ICS) and Policy Secure gateways are presently visible online, based on a search phrase that security expert Kevin Beaumont shared. Additionally, Beaumont issued a warning earlier today about the two zero-days being utilized in attacks that enable code execution and MFA bypass.

Last week, Ivanti announced that unauthenticated attackers could potentially take control of registered devices or the core server by exploiting a severe remote code execution (RCE) vulnerability (CVE-2023-39336) in its Endpoint Management software (EPM).

State hackers investigated two further zero-day vulnerabilities in Ivanti's Endpoint Manager Mobile (EPMM) in July to break into the networks of multiple government agencies in Norway (CVE-2023-35078 and CVE-2023-35081). A month later, hackers were able to get around API authentication on susceptible devices by taking advantage of a third zero-day vulnerability (CVE-2023-38035) in Ivanti's Sentry software. More than 40,000 businesses use Ivanti's products to manage their IT systems and assets globally.