Threat update

Recent flaws found in Ivanti Connect Secure and Policy Secure Gateways can lead to remote code execution (RCE) attacks. Review this Cybersecurity Threat Advisory to learn additional details and recommendations to keep your organization secure. 

Technical Detail and Additional Info

What is the threat?

Ivanti has faced multiple attacks on its products from the start of this year. Threat actors are actively exploiting flaws observed in Ivanti appliances. There are four flaws found in Ivanti Connect Secure and Policy Secure Gateways:

• CVE-2024-21894 (CVSS score: 8.2)
• CVE-2024-22052 (CVSS score: 7.5)
• CVE-2024-22053 (CVSS score: 8.2)
• CVE-2024-22023 (CVSS score: 5.3)

Two of the flaws are related to heap overflow vulnerabilities in the IPSec component. One is related to null pointer dereference vulnerability and one related to an XML entity expansion or XEE vulnerability in SAML component of Connect Secure (9.x, 22.x) and Policy Secure. These flaws could result in code execution and denial-of-service (DOS) attacks. 

Why is it noteworthy?

There are approximately 16,500 Ivanti Connect Secure and Policy Secure Gateways exposed on the internet vulnerable to a remote code execution (RCE) attack. Multiple threat actors have been observed to actively exploit these recent zero-day flaws. These flaws have been used to breach Ivanti Connect Secure VPN appliances and to deliver post exploitation malware like TONERJAM and PHANTOMNET. Some other threat groups are using these flaws to breach and deliver custom malware toolset known as SPAWN which is known for its stealth and persistent backdoor. 

What is the exposure or risk?

High-risk vulnerabilities, such as those found in Ivanti products, are often used as a point of breach. Organizations using Ivanti Connect Secure and Policy Secure Gateways should act promptly to prevent attacks from these vulnerabilities. The heap overflow vulnerability in the IPSec component allows unauthenticated malicious users to send specially crafted requests to cause a DoS attack. These requests can also be used to read contents from memory in certain conditions, or to execute arbitrary code attacks. The null pointer dereference vulnerability also allows an unauthenticated malicious user to send specially crafted requests to crash the service. 

What are the recommendations?

LBT Technology Group, LLC. recommends the following actions to limit the impact of these vulnerabilities:

• Apply patches released by Ivanti to all supported versions promptly
• Deploy antivirus software and intrusion detection systems to prevent malware infections
• Use automated scanning tools and manual penetration testing to evaluate the effectiveness of security controls
• Maintain a proper security posture to mitigate the risk and impact of this attack
• Use a 24/7 monitoring service, such as Barracuda XDR Network Security, to promptly deter suspicious network activity

References

 For more in-depth information about the recommendations, please visit the following links:

• https://thehackernews.com/2024/04/ivanti-rushes-patches-for-4-new-flaw-in.html

If you have any questions, please contact LBT's Sales Engineer.