When Patch Tuesday becomes Patch Monday – Friday

Listen to post: Getting your Trinity Audio player ready...

If you’re an administrator running Ivanti VPN (Connect Secure and Policy Secure) appliances in your network, then the past two months have likely made you wish you weren’t.
In a relatively short timeframe bad news kept piling up for Ivanti Connect Secure VPN customers, starting on Jan. 10^th, 2024, when critical and high severity vulnerabilities, CVE-2024-21887 and CVE-2023-46805 respectively, were disclosed by Ivanti impacting all supported versions of the product. The chaining of these vulnerabilities, a command injection weakness and an authentication bypass, could result in remote code execution on the appliance without any authentication. This enables complete device takeover and opening the door for attackers to move laterally within the network.

This was followed three weeks later, on Jan. 31^st, 2024, by two more high severity vulnerabilities, CVE-2024-21888 and CVE-2024-21893, prompting CISA to supersede its previous directive to patch the two initial CVEs, by ordering all U.S. Federal agencies to disconnect from the network all Ivanti appliances “as soon as possible” and no later than 11:59 PM on February 2^nd.

As patches were gradually made available by Ivanti, the recommendation by CISA and Ivanti themselves has been to not only patch impacted appliances but to first factory reset them, and then apply the patches to prevent attackers from maintaining upgrade persistence. It goes without saying that the downtime and amount of work required from security teams to maintain the business’ remote access are, putting it mildly, substantial.

In today’s “work from anywhere” market, businesses cannot afford downtime of this magnitude, the loss of employee productivity that occurs when remote access is down has a direct impact on the bottom line.
Security teams and CISOs running Ivanti and similar on-prem VPN solutions need to accept that this security architecture is fast becoming, if not already, obsolete and should remain a thing of the past. Migrating to a modern ZTNA deployment, more-than-preferably as a part of single vendor SASE solution, has countless benefits. Not only does it immensely increase the security within the network, stopping lateral movement and limiting the “blast radius” of an attack, but it also serves to alleviate the burden of patching, monitoring and maintaining the bottomless pit of geographically distributed physical appliances from multiple vendors.

Cato Networks SASE Threat Research Report H2/2022 | Download the Report

Details of the vulnerabilities

• CVE-2023-46805: Authentication Bypass (CVSS 8.2)
  • Found in the web component of Ivanti Connect Secure and Ivanti Policy Secure (versions 9.x and 22.x)
  • Allows remote attackers to access restricted resources by bypassing control checks.
• CVE-2024-21887: Command Injection (CVSS 9.1)
  • Identified in the web components of Ivanti Connect Secure and Ivanti Policy Secure (versions 9.x and 22.x)
  • Enables authenticated administrators to execute arbitrary commands via specially crafted requests.
• CVE-2024-21888: Privilege Escalation (CVSS 8.8)
  • Discovered in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x)
  • Permits users to elevate privileges to that of an administrator.
• CVE-2024-21893: Server-Side Request Forgery (SSRF) (CVSS 8.2)
  • Present in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x), and Ivanti Neurons for ZTA
  • Allows attackers to access restricted resources without authentication.
• CVE-2024-22024: XML External Entity (XXE) Vulnerability (CVSS 8.3)
  • Detected in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x), and ZTA gateways
  • Permits unauthorized access to specific restricted resources.

Specifically, by chaining CVE-2023-46805, CVE-2024-21887 & CVE-2024-21893 attackers can bypass authentication, and obtain root privileges on the system, allowing for full control of the system. The first two CVEs were observed being chained together in attacks going back to December 2023, i.e. well before the publication of the vulnerabilities.
With estimates of internet connected Ivanti VPN gateways ranging from ~20,000 (Shadowserver) all the way to ~30,000 (Shodan) and with public POCs being widely available it is imperative that anyone running unpatched versions applies them and follows Ivanti’s best practices to make sure the system is not compromised.

Conclusion

In times when security & IT teams are under more pressure than ever to make sure business and customer data are protected, with CISOs possibly even facing personal liability for data breaches, it’s become imperative to implement comprehensive security solutions and to stop duct-taping various security solutions and appliances in the network.

Moving to a fully cloud delivered single vendor SASE solution, on top of providing the full suite of modern security any organization needs, such as ZTNA, SWG, CASB, DLP, and much more, it greatly reduces the maintenance required when using multiple products and appliances. Quite simply eliminating the need to chase CVEs, applying patches in endless loops and dealing with staff burnout. The networking and security infrastructure is consumed like any other cloud delivered service, allowing security teams to focus on what’s important.