Vulnerabilities in Ivanti gateways actively exploited

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

2:00pm, 11 January 2024

TLP Rating: Clear

Vulnerabilities in Ivanti gateways actively exploited

UPDATED: 01/02/24

Ivanti has released an advisory for two vulnerabilities affecting Ivanti Connect Secure (formerly Pulse Secure) and Ivanti Policy Secure gateways.

The vulnerabilities, tracked as CVE-2023-46805 (high severity) and CVE-2024-21887 (critical severity) allow for authentication bypass and remote command execution. These could give a remote attacker full control of an affected device. 

After the initial advisory, Ivanti has disclosed two further vulnerabilities: CVE-2024-21888 and CVE-2024-21893, which allow for privilege escalation and server-side request forgery, allowing an attacker to access restricted resources without authentication.

What's happening

Systems affected

The vulnerabilities impact all supported versions of Ivanti Connect Secure (formerly Pulse Secure) and Ivanti Policy Secure gateways.

  • Ivanti Connect Secure (ICS) gateway – versions 9.x and 22.x
  • Ivanti Policy Secure (ICS) gateway – versions 9.x and 22.x

What to look for

How to tell if you're affected

Ivanti provides an integrity checker tool for monitoring changes to the configuration file. Please refer to the Ivanti advisory for details.

Check for the indicators of compromise provided in Volexity's blog.

What to do

Prevention

A patch is now available for versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1, and ZTA version 22.6R1.3. The patches cover all four vulnerabilities.

The remaining patches for supported versions will still be released on a staggered schedule. Ivanti recommends that all customers factory reset their appliance before applying the patch to prevent the threat actor from gaining upgrade persistence in your environment.

Mitigation

For those running versions without a current patch, Ivanti has provided a mitigation and instructions on how to apply it in their customer advice.

Until patched, Ivanti recommends actively monitoring your devices for malicious activity.

More information

 

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ

For media enquiries, email our media desk at certmedia@cert.govt.nz or call the CERT NZ media team on 021 854 384

Received an alert or advisory from both CERT NZ and NCSC? At present, we use both brands and a range of distribution mechanisms to ensure everyone continues to receive the information they need. Behind the scenes, our teams continue to work together to share insights and align our guidance.