Ivanti Connect Secure VPN: Greenbone protects against Zero Day

A series of flaws in Ivanti’s Connect Secure VPN is being actively exploited by attackers. Both the German BSI and the US government’s Cybersecurity and Infrastructure Security Agency (CISA) have spread a warning. CISA has even issued an Emergency Directive ordering all Federal Civilian Executive Branch (FCEB) agencies to apply patches immediately.

Thousands of publicly accessible Ivanti systems worldwide are at risk, many of which are located in Germany, the flaws are being actively exploited. Because Ivanti’s devices have been included in Greenbone’s vulnerability tests in the Enterprise Feed for several years, we were able to warn our customers as early as January 10 and have been continuously building tests for the most recent vulnerabilities. Nevertheless, Ivanti customers need to be alert and take action – the patches from Ivanti need a factory reset on the devices.

Remote Code Execution and Authentification Bypass

Since December, the American security expert Volexity had found two serious security vulnerabilities (CVE-2023-46805 and CVE-2024-21887, both published on January 12, 2024) in devices with Ivanti Connect Secure VPN. Products affected included Ivanti Connect Secure (formerly Ivanti Pulse Secure), Ivanti Policy Secure and Ivanti Neurons for Zero Trust Access (ZTA).

According to Ivanti’s official statement, the vulnerabilities allowed remote attackers to bypass authentication mechanisms, execute their own code without authorization and take control of systems. The manufacturer urgently advises its customers to implement the workarounds and continues to update communication in an article in the forum.

Patches were shipped end of January which also included fixes for three other severe vulnerabilities, that Ivanti had to warn about in late January and early February. (CVE-2024-21893, CVE-2024-21888 and CVE-2024-22024). These three security issues come at high risk, include server-side request forgery, privilege escalation and an XML external entity (XXE) vulnerability.

According to the vendor, security patches for all flaws have been delivered on February 1. Users that applied the February patch and who have made a factory reset should not require another one now.

Greenbone customers have been warned, but administrators need to take action

Due to the widespread use of Ivanti devices in Germany, Greenbone has been including tests for Ivanti Connect Secure for several years. While other available tests only check the version numbers of the software used, Greenbone’s vulnerability checks use extended functions and thus achieve a significant higher level of accuracy in reporting.

However, even though our products warn Greenbone customers faster and more accurately about potential vulnerabilities in Avanti devices, users still need to take action to apply all the measures recommended by the manufacturer. For example, it is quite possible that attackers have already exploited the vulnerability before it was published. Therefore, all customers must use the Integrity Checker provided by Ivanti to ensure the integrity of their installation.

The five security vulnerabilities in Ivanti VPN Gateway appliances according to NIST:

• CVE-2023-46805 (CVSS 8.2 High): The authentication bypass vulnerability [CWE-287] in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows an attacker to access restricted resources by bypassing control checks.
• CVE-2024-21887 (CVSS 9.1 High): The command injection vulnerability [CWE-77] in the web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows administrators to send specially crafted requests and execute arbitrary commands on the appliance.
• CVE-2024-21893 (CVSS 8.2 High): A server-side request forgery vulnerability [CWE-918] in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.
• CVE-2024-21888 (CVSS 8.8 High): A privilege escalation vulnerability [CWE-265] in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to administrator level.
• CVE-2024-22024 (CVSS 8.3 High): An XML external entity or XXE vulnerability [CWE-643] in the SAML components of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.

Immediate Actions

The patches were initially released on January 22. Until users can download and install the official patches from Ivanti, they should follow these steps:

• Download: current Mitigation Release from Ivanti’s official Mitigation Advisory
• Follow instructions to ensure correct import, reset device to factory defaults when told to.
• Download and run Ivanti’s External Integrity Checker Tool.