Threat Response - High risk vulnerability in Ivanti Secure Access VPN (previously Pulse Secure)

Dear Reader,

On 10 January 2024, Ivanti warned about two high severity zero-day vulnerabilities in Ivanti Connect Secure VPN (formerly known as Pulse Connect Secure, or simply Pulse Secure). The vulnerabilities allow for authentication bypass as well as command injection in the web component of Ivanti Connect Secure and Ivanti Policy Secure. The vulnerabilities allow an attacker to access restricted resources by bypassing control checks, as well as allowing an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Description

Ivanti's Connect Secure VPN, previously known as Pulse Secure VPN, is a SSL VPN solution for remote users to connect to a network from anywhere [1]. Its setup usually consists of a server in the network, and VPN client software installed on systems that connect to the server.

The vulnerability tracked as CVE-2023-46805 [2] is an authentication bypass vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure, which allows a remote attacker to access restricted resources by bypassing control checks.

The other vulnerability, tracked as CVE-2024-21887, is a command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. It allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. What makes this vulnerability particularly concerning is its potential for exploitation over the internet, posing a direct threat to the security posture of the affected systems.

The following versions of the software are vulnerable:

• Ivanti Connect Secure (9.x, 22.x)

• Ivanti Policy Secure (9.x, 22.x)

Impact

We estimate the impact of these vulnerabilities as HIGH because the successful exploitation these vulnerabilities could result in unauthenticated remote code execution. This scenario opens the door for attackers to craft malicious requests, execute arbitrary commands on the system, escalate privileges, compromise data confidentiality, and potentially disable critical defensive measures like EDR.

 

Risk

We estimate the risk of these vulnerabilities as HIGH, as there is currently active exploitation of the zero day vulnerabilities [3]. The primary risks associated with these vulnerabilities are related to privilege escalation, unauthorised access to your environment, and sensitive data exfiltration.

 

Mitigation

At the time of writing, Ivanti has not released any patches that address these vulnerabilities. Northwave recommends mitigating these vulnerabilities by importing the file “mitigation.release.20240107.1.xml” via the Ivanti download portal [4], until a patch is available. This XML file is designed to prevent the vulnerability exploitation and reduce the associated risks while a more comprehensive patch is in development.

Ivanti suggests running the external Integrity Checker Tool (ICT) as a precautionary measure, especially due to evidence of threat actors attempting to manipulate Ivanti’s internal integrity checker. The external ICT has been updated with new functionality, which will be incorporated into the internal ICT in the future. Customers can access the mitigation and the latest ICT via their standard download portal and import the XML file [4].

 

What should you do?

Ivanti released a temporary mitigation to address this vulnerability [2]. We advise implementing this mitigation and following the recommendations from Ivanti immediately, if the vulnerable software is in use.

 

What will Northwave do?

For customers with Endpoint Detection & Response (EDR) based on Defender on Endpoint installed on the Ivanti VPN appliance, Northwave has created and implemented a detection rule capable of detecting modifications of the Ivanti VPN configuration files, which could indicate an exploitation attempt. Besides the new detection rule, Northwave always alerts in case of post-exploitation activities, such as Reconnaissance and Lateral Movement.

We will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information.

E-mail: soc@northwave.nl
Do you have an incident right now? Call our CERT number: 00800 1744 0000

Disclaimer applies, see below.

 

Sources

[1]: https://www.ivanti.com/products/connect-secure-vpn

[2]: https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

[3]: https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/

[4]: https://success.ivanti.com/customers/Community_RegStep1_Page?inst=UL&startURL=%2Fservlet%2Fnetworks%2Fswitch%3FnetworkId%3D0DB1B000000PBGy%26startURL%3D%2Fs%2Farticle%2FDownload-Links-Related-to-CVE-2023-46805-and-CVE-2024-21887

[5]: https://www.ncsc.nl/actueel/advisory?id=NCSC-2024-0011