Article Details
Scrape Timestamp (UTC): 2024-02-08 19:49:41.260
Original Article Text
Click to Toggle View
Ivanti: Patch new Connect Secure auth bypass bug immediately. Today, Ivanti warned of a new authentication bypass vulnerability impacting Connect Secure, Policy Secure, and ZTA gateways, urging admins to secure their appliances immediately. The flaw (CVE-2024-22024) is due to an XXE (XML eXternal Entities) weakness in the gateways' SAML component that lets remote attackers gain access to restricted resources on unpatched appliances in low-complexity attacks without requiring user interaction or authentication. "We have no evidence of any customers being exploited by CVE-2024-22024. However, it is critical that you immediately take action to ensure you are fully protected," Ivanti said. "For users of other supported versions, the mitigation released on 31 January successfully blocks the vulnerable endpoints until remaining patches are released," the company added in a separate advisory. Threat monitoring platform Shadowserver currently tracks over 20,000 ICS VPN gateways exposed online, with over 6,000 in the United States (Shodan currently tracks over 26,000 Internet-exposed Ivanti ICS VPNs). Shadowserver also monitors Ivanti Connect Secure VPN instances compromised worldwide daily, with almost 250 compromised devices discovered on Wednesday, February 7. Ivanti devices under heavy targeting Ivanti VPN appliances have been targeted in attacks chaining the CVE-2023-46805 authentication bypass and the CVE-2024-21887 command injection flaws as zero-days since December 2023. The company warned of a third actively exploited zero-day (a server-side request forgery vulnerability now tracked as CVE-2024-21893) that's now also under mass exploitation by multiple threat actors, allowing attackers to bypass authentication on unpatched ICS, IPS, and ZTA gateways. Security patches for product versions affected by the three flaws were released on January 31. Ivanti also provides mitigation instructions for devices that can't be secured immediately against ongoing attacks or running software versions still waiting for a patch. Ivanti urged customers to factory reset all vulnerable appliances before patching to block attackers' attempts to gain persistence between software upgrades. Additionally, CISA ordered U.S. federal agencies on February 1 to disconnect all vulnerable Ivanti VPN appliances on their networks within 48 hours in response to extensive targeting by multiple threat actors.
Daily Brief Summary
A new authentication bypass vulnerability in Ivanti's Connect Secure, Policy Secure, and ZTA gateways poses a serious security threat requiring immediate patching.
The flaw, identified as CVE-2024-22024, arises from an XML eXternal Entities (XXE) weakness in the gateways' SAML component, permitting attackers access to restricted resources without user interaction.
Ivanti reports no current exploitations but emphasizes the critical need for immediate action to protect against potential attacks.
Over 20,000 Internet-connected ICS VPN gateways are at risk, with compromised Ivanti Connect Secure VPN devices being actively monitored, nearly 250 of which were compromised as of February 7.
Security patches for affected products were released on January 31, and Ivanti has provided interim mitigation steps for those still awaiting updates.
Ivanti recommends a factory reset of all vulnerable appliances before patching to deter attacker persistence through upgrades.
Following the detection of mass exploitation by various threat actors, CISA mandated that U.S. federal agencies disconnect vulnerable Ivanti VPN appliances within 48 hours.