THE THREAT
On January 31st, Ivanti disclosed a new actively exploited vulnerability in Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA devices. The exploited vulnerability is tracked as follows: CVE-2024-21893 (CVSS: 8.2) - Server-Side Request Forgery vulnerability. If exploited, an unauthenticated threat actor may access restricted resources on vulnerable devices. The official advisory states that Ivanti is aware of “a small number of customers” that have been impacted via exploitation of this vulnerability.
Ivanti has released security patches to address some of the impacted versions; additional security patches will be released in a staggered approach. At this time, exploitation appears to be limited and targeted in nature. Due to the rapid adoption of past Ivanti zero-day vulnerabilities by threat actors, widespread exploitation of CVE-2024-21893 should be expected in the immediate future.
What we’re doing about it
- eSentire Managed Vulnerability Service (MVS) will add the relevant plugins to identify CVE-2024-21893 as they become available
- The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities
What you should do about it
- After performing a business impact review, apply the relevant security patches immediately
- Updated Ivanti Connect Secure versions are 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1 and ZTA version 22.6R1.3
- If patching is not immediately possible, apply the relevant mitigations provided by Ivanti
- Import mitigation.release.20240126.5.xml file via the Ivanti download portal
Additional information
In addition to CVE-2024-21893, Ivanti disclosed a second vulnerability tracked as CVE-2024-21888 (CVSS: 8.8). This is a privilege escalation vulnerability impacting Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x). Exploitation would allow an authenticated user to elevate their privileges to the level of administrator. There is currently no indication of real-world attacks involving CVE-2024-21888.
CVE-2024-21893 - Impacted Product List:
- Ivanti Connect Secure 9.1R14 prior to 9.1R14.4
- Ivanti Connect Secure 9.1R17 prior to 9.1R17.2
- Ivanti Connect Secure 9.1R18 prior to 9.1R18.3
- Ivanti Connect Secure 22.4 prior to 22.4R2.2
- Ivanti Connect Secure 22.5 prior to 22.5R1.1
- All other supported Ivanti Connect Secure versions
- All supported Ivanti Policy Secure versions
- Ivanti Neurons for Zero Trust Access version 22.6 prior to 22.6R1.3
- All other supported versions of Ivanti Neurons for Zero Trust Access
CVE-2024-21893 is suspected to be related to two previously disclosed Ivanti zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887). These vulnerabilities were disclosed on January 10th, with initial exploitation traced back to early December 2023. The transition from targeted attacks to widespread exploitation occurred only a single day after the vulnerabilities were publicly disclosed. The initial exploitation of CVE-2023-46805 and CVE-2024-21887 was attributed to a China-nexus, espionage threat actor dubbed UNC5221.
Details on the exploitation of CVE-2024-21893 are currently minimal, but it is probable that exploitation of all three vulnerabilities is related. The eSentire Threat Intelligence team assesses with high confidence that CVE-2024-21893 will be adopted by additional threat actor groups and used in widespread attacks in the immediate future.
References:
[1] https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US
[2] https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
[3] https://digital.nhs.uk/cyber-alerts/2024/cc-4446
[4] https://www.esentire.com/security-advisories/ivanti-zero-day-vulnerabilities-cve-2023-46805-and-cve-2024-21887
[5] https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day
