forums.ivanti.com
Open in
urlscan Pro
2606:4700::6811:8a6b
Public Scan
URL:
https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Co...
Submission: On March 13 via api from IN — Scanned from DE
Submission: On March 13 via api from IN — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
Loading
×Sorry to interrupt
CSS Error
Refresh
Skip to Main Content
Community
* Home
* All Products
* Forum Groups
* Contact Support
* Getting Started
* Advantage Learning
* Ivanti Innovators
* Ivanti User Groups
* Ivanti Ideas
* Product End of Life
* Community & Portal Resources
* Ivanti Developer Hub
* More
Expand search
SearchLoading
Close search
Log inAccount Management
Ask a Question
Log in for access to this feature
KB CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection)
for Ivanti Connect Secure and Ivanti Policy Secure Gateways
Products / Topics :
Connect-Secure, Policy Secure
Created Date
Jan 10, 2024 5:48:13 PM
Last Modified Date
Feb 29, 2024 7:11:05 PM
Description
KB CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection)
for Ivanti Connect Secure and Ivanti Policy Secure Gateways
Description
Most recent edits:
Edit 13: February 14 – Updated patch and release information
Edit 14: February 17 – Mitigation recommendation updated, document simplified
Edit 15: February 27 - Updated external ICT, new guidance for virtual appliances
Edit 16: February 29 - Updated to include Ivanti Blog: Enhanced External Checker
Tool
Update 29 Feb: Ivanti Blog: Enhanced External Integrity Checker Tool
Update 27 Feb: An enhanced external ICT is available, which customers can
download via the standard download portal. The enhanced external ICT provides
customers a decrypted snapshot of their appliance, you can find guidance HERE.
Update 14 Feb: A patch is available now for Ivanti Connect Secure (versions
9.1R15.3, 9.1R16.3, 22.1R6.1, 22.2R4.1, 22.3R1.1 and 22.4R1.1) and Ivanti Policy
Secure (versions 9.1R16.3, 22.4R1.1 and 22.6R1.1). A build is now available for
all supported versions.
Update 8 Feb: A patch is available for Ivanti Connect Secure (versions 9.1R14.5,
9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3 and 22.6R2.2), Ivanti Policy
Secure (versions 9.1R17.3, 9.1R18.4 and 22.5R1.2) and ZTA gateways (versions
22.5R1.6, 22.6R1.5 and 22.6R1.7). Please refer to the instructions provided
below for best practices.
Patches made available 8 and 14 February replace prior patches made available on
31 January and 1 February.
Customers who applied the patch released on 31 January or 1 February, and
completed a factory reset of their appliance, do not need to factory reset their
appliances again.
Description: Vulnerabilities have been discovered in Ivanti Connect Secure
(ICS), (formerly known as Pulse Connect Secure) and Ivanti Policy Secure
gateways. These vulnerabilities impact all supported versions – Version 9.x and
22.x (refer to Granular Software Release EOL Timelines and Support Matrix for
supported versions).
Refer to KB43892 – What releases will Pulse Secure apply fixes to resolve
security vulnerabilities for our End of Engineering (EOE) and End of Life (EOL)
policies.
The Ivanti Neurons for ZTA gateways cannot be exploited when in production. If a
gateway for this solution is generated and left unconnected to a ZTA controller,
then there is a risk of exploitation on the generated gateway. Ivanti Neurons
for Secure Access is not vulnerable to these CVEs; however, the gateways being
managed are independently vulnerable to these CVEs. For this reason, Ivanti
Neurons for ZTA is included in the patch schedule below.
If CVE-2024-21887 is used in conjunction with CVE-2023-46805(disclosed 10 Jan),
exploitation does not require authentication and enables a threat actor to craft
malicious requests and execute arbitrary commands on the system.
We currently have no evidence of customers being impacted by CVE-2024-21888, at
the time of disclosure we had no evidence of customers being impacted by
CVE-2024-22024, and at time of disclosure we were aware of a limited number of
customers impacted by CVE-2023-46805, CVE-2024-21887 and CVE-2024-21893.
We are reporting these vulnerabilities in this knowledge base article as it is
resolved in the patch detailed below. The patch is available now via the
standard download portal.
Be aware that the situation is still evolving. Ivanti will update this knowledge
base article as more information becomes available. To receive updates, please
ensure you are following this article.
Cause
The table below provides details on the vulnerabilities:
CVEDescriptionCVSSVectorCVE-2023-46805An authentication bypass vulnerability in
the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure
allows a remote attacker to access restricted resources by bypassing control
checks.8.2AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:NCVE-2024-21887A command injection
vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti
Policy Secure allows an authenticated administrator to send specially crafted
requests and execute arbitrary commands on the appliance. This vulnerability can
be exploited over the
internet.9.1AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HCVE-2024-21888A privilege
escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x)
and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that
of an administrator.8.8AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HCVE-2024-21893A
server-side request forgery vulnerability in the SAML component of Ivanti
Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons
for ZTA allows an attacker to access certain restricted resources without
authentication.8.2AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:NCVE-2024-22024An XML
external entity or XXE vulnerability in the SAML component of Ivanti Connect
Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) which allows an attacker
to access certain restricted resources without
authentication.8.3AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
RESOLUTION
Patch Availability
Update 14 Feb: A patch is available now for Ivanti Connect Secure (versions
9.1R15.3, 9.1R16.3, 22.1R6.1, 22.2R4.1, 22.3R1.1 and 22.4R1.1) and Ivanti Policy
Secure (versions 9.1R16.3, 22.4R1.1 and 22.6R1.1). A build is now available for
all supported versions.
Update 8 February: A patch is now available for Ivanti Connect Secure (versions
9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3 and 22.6R2.2), Ivanti
Policy Secure (versions 9.1R17.3, 9.1R18.4 and 22.5R1.2) and ZTA gateways
(versions 22.5R1.6, 22.6R1.5 and 22.6R1.7) . Please refer to the instructions
provided below for best practices. These patches replace prior patches made
available on 31 January and 1 February.
Ivanti highly recommends you upgrade to the latest version of Ivanti Connect
Secure or Ivanti Policy Secure to ensure you have the latest security and
stability fixes. More information about upgrading can be found here:
https://forums.ivanti.com/s/article/How-to-The-Complete-Upgrade-Guide
It is also Ivanti’s recommendation that customers migrate to Ivanti Neurons for
ZTA to benefit from the newest architecture of these products.
If you run into issues upgrading after following the instructions in the above
KB, customers should open a ticket with support for assistance.
Patches were released following next minor version logic and lesser minor
versions will not be given a one-off patch.
DownloadCustomers can access the patch via the standard download portal, login
required.
Best Practice Guidance:
Ivanti recommends as a best practice that all customers with a hardware
appliance factory reset their appliance before applying the patch to prevent the
threat actor from gaining upgrade persistence in your environment. If a customer
completed a successful factory reset of their appliance before applying the
previously released patches, there is no need to perform a factory reset again.
Ivanti recommends that customers with a virtual appliance no longer perform a
factory reset, but instead deploy a new build of Ivanti Connect Secure or Policy
Secure. Customers should:
* Backup existing configurations
* Rebuild impacted virtual machines
* Deploy a new build of Ivanti Connect Secure
* Restore configuration(s) from backup
* Revoke or rotate any device credentials (examples of device credentials can
be found here)
Historically we have seen this threat actor attempt to gain persistence in
customers’ environment, which is why we are recommending customers factory reset
or deploy a new build of a virtual appliance as a best practice for all
customers. Please refer to this Knowledge Base article for instructions on how
to factory reset your appliance. Customers should expect this process to take
3-4 hours.
It is Ivanti’s recommendation that if a customer has a clean External Integrity
Checker scan before and after the patch is applied, they can schedule the
factory reset or deploy a new build of the appliance during their regular
service window. If a customer has a positive External Integrity Checker scan
either before or after the patch is applied, they should do a factory reset or
deploy a new build and follow the instructions in this Knowledge Base article.
If a customer experiences issues factory resetting their appliance or deploy a
new build after reviewing the above Knowledge Base article, they should open a
support ticket for assistance.
Mitigation
Please note: If a customer has applied the patch, they do not need to apply the
mitigation. If mitigation is applied before the patch, it should be removed once
the patch has been applied. The mitigation removal XML can be found in the
standard download portal.
It is now Ivanti’s recommendation that all customers remove the mitigation,
factory reset or deploy a new build of a virtual appliance and apply the patch.
Refer to How to Add and Remove XML files to your Ivanti Connect Secure and
Ivanti Policy Secure Appliances for directions on how to remove the XML file.
We strongly advise customers to run Ivanti’s External Integrity Checker Tool
(ICT) in combination with best-practice security monitoring.
On 27 February we released an enhanced Integrity Checker tool which provides a
decrypted snapshot of a customer's appliance. Customers can follow the guidance
HERE.
We have seen evidence of threat actors attempting to manipulate Ivanti’s
internal integrity checker (ICT). Out of an abundance of caution, we are
recommending that all customers run the external ICT. We have added new
functionality to the external ICT that will be incorporated into the internal
ICT in the future. We regularly provide updates to the external and internal
ICT, so customers should always ensure they are running the latest version of
each.
The ICT is a snapshot of the current state of the appliance and cannot
necessarily detect threat actor activity if they have returned the appliance to
a clean state. The ICT does not scan for malware or other Indicators of
Compromise. We recommend as a best practice for customers to always run the ICT
in conjunction with continuous monitoring.
Refer to KB44755 – Pulse Connect Secure (PCS) Integrity Assurance for
information on how to run the external ICT.
FAQ
1. Why does CVE-2024-22024 only impact a limited number of supported versions?
* This vulnerability was discovered during our rigorous investigation into the
vulnerabilities impacting Ivanti Connect Secure, Ivanti Policy Secure and ZTA
gateways. We initiated this rigorous process consistent with our product
incident response plan to address the issues impacting Ivanti Connect Secure,
Ivanti Policy Secure and ZTA gateways. This process includes working
alongside world-class security experts and aggressively reviewing our code.
We are committed to remediating issues as quickly as we can.
2. How do I know if I’ve been compromised?
* We strongly advise customers to run Ivanti’s previously released External
Integrity Checker Tool (ICT) in combination with best-practice security
monitoring.
* We have seen evidence of threat actors attempting to manipulate Ivanti’s
internal ICT. Out of an abundance of caution, we are recommending that all
customers run the external ICT. We have added new functionality to the
external ICT that will be incorporated into the internal ICT in the future.
* The ICT is a snapshot of the current state of the appliance and cannot
necessarily detect threat actor activity if they have returned the appliance
to a clean state. The ICT does not scan for malware or other Indicators of
Compromise. We recommend as a best practice for customers to always run the
ICT in conjunction with continuous monitoring.
* If a customer finds evidence they may have been compromised, they should
engage with a forensic provider. Ivanti is not a forensic provider and cannot
perform this for them.
3. Are there any Indicators of Compromise we can validate outside of the
integrity checker tool?
* Indicators of Compromise will be shared with customers that have confirmed
impact to move customers forward in their forensics investigation. Be aware
that the situation is still evolving. Ivanti will update this knowledge base
article as more information becomes available. To receive updates, please
ensure you are following this article. If customers require additional
information, they should open a ticket with support.
* Customers can also reference Volexity’s blog or Mandiant’s blog for
additional findings of the coordinated investigation. Ivanti thanks Volexity
for their assistance in identifying and reporting the issue in Ivanti Connect
Secure, Ivanti Policy Secure and ZTA gateways, and Mandiant for their
continued support.
4. Are you aware of any active exploitation of the vulnerability?
* We are aware of less than 20 customers impacted by the vulnerabilities prior
to public disclosure. We are unable to discuss the specifics of our
customers.
5. Why do I need to run the external ICT for these vulnerabilities?
* We have added new functionality to the external ICT that will be incorporated
into the internal ICT in the future. The ICT is a snapshot of the current
state of the appliance and cannot necessarily detect threat actor activity if
they have returned the appliance to a clean state. The ICT does not scan for
malware or other Indicators of Compromise. We recommend as a best practice
for customers to always run the ICT in conjunction with continuous
monitoring.
6. When will patches be available for this vulnerability?
* A patch is now available for Ivanti Connect Secure (versions 9.1R14.5,
9.1R15.3, 9.1R16.3 9.1R17.3, 9.1R18.4, 22.1R6.3, 22.2R4.1, 22.3R1, 22.4R1.1,
22.4R2.3, 22.5R1.2, 22.5R2.3 and 22.6R2.2), Ivanti Policy Secure (versions
9.1R16,3, 9.1R17.3, 9.1R18.4, 22.4R1.1, 22.5R1.2 and 22.6R1.1) and ZTA
gateways (versions 22.5R1.6, 22.6R1.5 and 22.6R1.7) Patches for supported
versions will be released in a staggered schedule with instructions on how to
upgrade to a supported version.
* A build is now available for all supported versions.
7. What should I do if I need help?
* If you have questions after reviewing this information, you can log a case
and/or request a call via the Success Portal
8. Is this a “supply chain attack”?
* No. Based on our analysis, Ivanti has not found any indication that this
vulnerability was introduced into our code development process
maliciously.
9. Has Ivanti been compromised due to this vulnerability?
* No. Ivanti does use our own tools and technology. Ivanti has no indication
that it has been compromised. Ivanti uses enterprise-grade technology and
security partners to detect, prevent, and respond to increasingly
sophisticated threat actors.
Article Number :
000090123
Article Promotion Level
Normal
*
* Terms & Conditions
* Privacy Policy
*
Copyright © 2019-2023 Ivanti. All rights reserved.
Loading
We use cookies to optimize the website performance, content, and the overall
experience.
Cookies Settings Continue without cookies Accept All Cookies
PRIVACY PREFERENCE CENTER
YOUR PRIVACY
YOUR PRIVACY
We use cookies on this site to improve your browser experience, analyze usage
and traffic, tailor future content to your preferences, and make decisions about
our website. Select "Allow All" to accept cookies and go directly to the site,
or select a category of cookies from the menu to learn more about each type of
cookie.
More information
* STRICTLY NECESSARY
STRICTLY NECESSARY
Always Active
Strictly Necessary
These cookies are required to enable core site functionality.
Cookie Details
* PERFORMANCE COOKIES
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to analyze site performance and usage, so we can
ensure you have the best experience.
Cookie Details
* PERSONALIZATION COOKIES
PERSONALIZATION COOKIES
Personalization Cookies
These cookies can be set through our website by our advertising partners.
They can be used by these companies to build a profile of your interests and
show you relevant ads on other websites.
Cookie Details
* FUNCTIONAL COOKIES
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalization. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then
some or all of these services may not function properly.
Cookie Details
Back Button
ADVERTISING COOKIES
Filter Button
Consent Leg.Interest
Select All Vendors
Select All Vendors
Select All Hosts
Select All
Clear Filters
Information storage and access
Apply
Save Settings Allow All