Flash Notice: UPDATE - New Zero-Day Found in Ivanti's Connect Secure, Policy Secure, and ZTA Gateways

UPDATE (2/12/2024) - 

After investigating and testing code, Ivanti discovered a new vulnerability (CVE-2024-22024). Similar to the previous Ivanti vulnerabilities mentioned this week, the new vulnerability impacts Ivanti Connect Secure, Ivanti Policy Secure, and ZTA gateways.  

With a CVSS score of 8.3, CVE-2024-22024 is an “XML external entity or XXE vulnerability in the SAML component allows attackers to access certain restricted resources without authentication." Although Ivanti does not have evidence of customers being exploited by the vulnerability, they are advising all users to patch as soon as possible. The vulnerability impacts the following supported versions: 

Ivanti Connect Secure versions:  

• 9.1R14.4 
• 9.1R17.2 
• 9.1R18.3 
• 22.4R2.2 
• 22.5R1.1 
• 22.5R2.2 

Ivanti Policy Secure version  

• 22.5R1.1  

ZTA version  

• 22.6R1.3 

Please note that the mitigation mentioned in Avertium’s original flash notice is effective at blocking this vulnerable endpoint. Also, customers who applied the patch released on 31 January or 1 February, and completed a factory reset of their appliance, do not need to factory reset their appliances again. 

AVERTIUM'S RECOMMENDATIONS

• Ivanti’s advisory states that there are patches for the following versions:  
  • Ivanti Connect Secure - 9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3 and 22.6R2.2. 
  • Ivanti Policy Secure - 9.1R17.3, 9.1R18.4 and 22.5R1.2 
  • ZTA gateways - 22.5R1.6, 22.6R1.5 and 22.6R1.7 
• For patch guidance and mitigation steps for CVE-2024-22024, please see Ivanti’s advisory and KB Article.  

overview

Ivanti has issued a critical advisory regarding two newly discovered vulnerabilities affecting its Connect Secure and Policy Secure products. These vulnerabilities are tracked as CVE-2024-21888 (CVSS score: 8.8) and CVE-2024-21893 (CVSS score: 8.2), with CVE-2024-21893 being actively exploited in the wild. 

CVE-2024-21888 

This vulnerability is a privilege escalation issue found in the web component of Ivanti Connect Secure (9.x, 22.x) and Policy Secure (9.x, 22.x). If exploited, attackers can gain administrative privileges. 

CVE-2024-21893 

This flaw is a server-side request forgery vulnerability in the SAML component of Connect Secure (9.x, 22.x), Policy Secure (9.x, 22.x), and Neurons for ZTA. Authenticated attackers can exploit the vulnerability to access restricted resources. The exploitation of CVE-2024-21893 appears to have only impacted a small number of Ivanti customers currently, but Ivanti anticipates a significant increase in exploitation once further details become public. 

Additionally, Ivanti has released security patches for some affected versions and provides mitigation instructions for devices still awaiting a patch. Ivanti has also disclosed two additional zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) and released patches and mitigation measures for these as well. When these two zero-day vulnerabilities are chained, attackers can move laterally inside victims' networks, steal information, and maintain ongoing access by setting up backdoors. These vulnerabilities impact ICS, IPS, and ZTA gateways. You may find more information regarding CVE-2023-46805 and CVE-2024-21887 in Avertium’s original flash notice.  

Victims of the attacks include government and military organizations worldwide, national telecom companies, defense contractors, banking and finance organizations, as well as aerospace, aviation, and tech firms of varying sizes. Please see the recommendations below for patch guidance and mitigation steps.  

avertium's recommendationS

Note!: If you applied the patch, there is no need to apply the mitigation. 

• CVE-2024-21893 and CVE-2024-21888 
  • You may find patch guidance for the vulnerabilities in Ivanti’s KB Article.  
  • Ivanti recommends immediate action, urging users to import the "mitigation.release.20240126.5.xml" file via the download portal as a temporary workaround for CVE-2024-21888 and CVE-2024-21893. 
• CVE-2023-46805 and CVE-2024-21887 
  • You may find patch guidance for the vulnerabilities in Ivanti’s KB Article.  
  • CISA has issued Emergency Directive ED 24-01, instructing federal agencies to immediately mitigate the CVE-2023-46805 and CVE-2024-21887 Ivanti zero-day flaws due to mass exploitation by multiple threat actors. 

INDICATORS OF COMPROMISE (IoCs)

CVE-2023-46805 and CVE-2024-21887 

IP Addresses 

• 206.189.208[.]156  
• 98.160.48[.]170  
• 50.213.208[.]89  
• 47.207.9[.]89  
• 173.220.106[.]166  
• 75.145.243[.]85  
• 75.145.224[.]109  
• 50.215.39[.]49  
• 73.128.178[.]221  
• 50.243.177[.]161  
• 64.24.179[.]210  
• 71.127.149[.]194  
• 173.53.43[.]7 

Domains 

• Symantke[.]com  
• Sessionserver[.]sh  
• Sessionserver[.]pl  
• webb-institute[.]com  
• gpoaccess[.]com  
• dslogconfig[.]pm 

CVE-2024-21893 and CVE-2024-21888 

MD5 

• 322778ac48bb0e0da65c0288b76b1133 
• 4a626140da1009f199afde2581d28d0b 
• 4b26c4126fbf51b6911e21139da9b153 
• 5c4cfb6ac2cd3213bace688f0fa2f14e 
• 63b0574cbe77d6231513f32e0d042484 
• c17113b1361002aff47459eb0d5bfd3b 
• cbf6325a11ba974278f2b9038a4b99d7 
• d71d37de5bae9a33ce2aa4908178b209 
• f3ce5cf045783c8c25aeff93e472cda1 
• f4560d12170c9e7fd0d921d635892df6 
• fc67817ea351dd6f0f0dcdb32a524c54 

SHA1 

• 1bc9a9190b86d42f5c74735da669e76a5c7ff6fe 
• 55c2197c88cd3cef23b5f9062c6bdbb6f4b28094 
• 61ec1f157f92cd7110b8324689d40e289ea1dc1a 
• 6b295381d911ddd2ba652ccf1bbfbaca2e159c21 
• 714a3e45bf364bfb2ae6914663bef48d18412d1b 
• 8013bb9991395e28bdd2de6632ce0ba69f553e25 
• 8c7fdcd3a192a37bdbb8e6877a9b8e14c07dd8d5 
• 913b0c9dc8b30d53ea73911c5683c2dc04c14e3b 
• a19bdf4f7ccc68470c172e67ffe4a1bdef5d7bc4 
• ba56f6e5b9e7b0137cc237d338471c99480fee96 
• f62d0f71441979785b44c8d062fcf7371fa5eb34 

SHA256 

• 030eb56e155fb01d7b190866aaa8b3128f935afd0b7a7b2178dc8e2eb84228b0 
• 47ff0ae9220a09bfad2a2fb1e2fa2c8ffe5e9cb0466646e2a940ac2e0cf55d04 
• 6f684f3a8841d5665d083dcf62e67b19e141d845f6c13ee8ba0b6ccdec591a01 
• 73657c062a7cc50a3d51853ec4df904bcb291fdc9cdd08eecaecb78826eb49b6 
• 76902d101997df43cd6d3ac10470314a82cb73fa91d212b97c8f210d1fa8271f 
• 816754f6eaf72d2e9c69fe09dcbe50576f7a052a1a450c2a19f01f57a6e13c17 
• a4e1b07bb8d6685755feca89899d9ead490efa9a6b6ccc00af6aaea071549960 
• c26da19e17423ce4cb4c8c47ebc61d009e77fc1ac4e87ce548cf25b8e4f4dc28 
• c7ddd58dcb7d9e752157302d516de5492a70be30099c2f806cb15db49d466026 
• d14122fa7883b89747f273c44b1f71b81669a088764e97256f97b4b20d945ed0 
• e47b86b8df43c8c1898abef15b8b7feffe533ae4e1a09e7294dd95f752b0fbb2 
• ef792687b8bcd3c03bed4b09c4722bba921536802afe01f7cdb01cc7c3c60815 

How Avertium is Protecting Our CUSTOMERS

• Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills. See every threat in your attack surface, every device, every entry point, and every vulnerability. Our Attack Surface Management services include:  
  • Risk Assessments 
  • Pen Testing and Social Engineering  
  • Infrastructure Architecture and Integration  
  • Zero Trust Network Architecture 
  • Vulnerability Management 
• We highly value your feedback. Kindly spare a moment to complete our feedback form, allowing us to enhance our services for our valued customers. 

SUPPORTING DOCUMENTATION