forums.ivanti.com
Open in
urlscan Pro
2606:4700::6811:8a6b
Public Scan
Submitted URL: https://mdr.esentire.com/e/651833/utm-campaign-cs-threatadvisory/2qvlwg/1131298948/h/xFdejBTWSa3eY_LhuKsjRRbiZUy9uaWkmP8B...
Effective URL: https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Co...
Submission: On January 31 via api from US — Scanned from DE
Effective URL: https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Co...
Submission: On January 31 via api from US — Scanned from DE
Form analysis
0 forms found in the DOMText Content
Loading ×Sorry to interrupt CSS Error Refresh Skip to Main Content Community * Home * All Products * Forum Groups * Contact Support * Getting Started * Advantage Learning * Ivanti Innovators * Ivanti User Groups * Ivanti Ideas * Product End of Life * Community & Portal Resources * Ivanti Developer Hub * More Expand search SearchLoading Close search Log inAccount Management Ask a Question Log in for access to this feature KB CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways Products / Topics : Connect-Secure, Policy Secure Created Date Jan 10, 2024 5:48:13 PM Last Modified Date Jan 31, 2024 7:59:27 PM Description KB CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways Description Edit 1: January 10 - fixed linking to XML instructions Edit 2: January 11 - Update to XML mitigation impacts Edit 3: January 12 - Update to reflect factory reset recommendation for impacted appliances. Edit 4: January 13 - New ICT Version for 22.x R2 to address a bug preventing ICT from running on certain Microsoft Azure appliances. Edit 5: January 14 - Updated patch version and timing information for Ivanti Policy Secure Edit 6: January 15 - Update to customer impact FAQ and NEW Recovery Guidance linked HERE Edit 7: January 20 - Update workaround section about known race condition when pushing device configurations. Edit 8: January 26 - Updated patch timing information Edit 9: January 31 – Patch availability update and disclosure of CVE-2024-21888 and CVE-2024-21893 Edit 10: January 31 – Known issue with downloads portal is being addressed. Please try logging in again to retrieve your patch downloads. If you are met with an error, direct download links can be reached here Edit 11: January 31 – Known issue with downloads portal is addressed. Please clear your cache and retry if errors persist. Corrected CVE# in description. Added new FAQs Description: Vulnerabilities have been discovered in Ivanti Connect Secure (ICS), (formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways. These vulnerabilities impact all supported versions – Version 9.x and 22.x (refer to Granular Software Release EOL Timelines and Support Matrix for supported versions). Refer to KB43892 – What releases will Pulse Secure apply fixes to resolve security vulnerabilities for our End of Engineering (EOE) and End of Life (EOL) policies. The Ivanti Neurons for ZTA gateways cannot be exploited when in production. If a gateway for this solution is generated and left unconnected to a ZTA controller, then there is a risk of exploitation on the generated gateway. Ivanti Neurons for Secure Access is not vulnerable to these CVEs; however, the gateways being managed are independently vulnerable to these CVEs. For this reason, Ivanti Neurons for ZTA is included in the patch schedule below. If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system. As part of our ongoing investigation into CVE-2023-46805 and CVE-2024-21887 we have identified additional vulnerabilities in Ivanti Connect Secure Ivanti Policy Secure, and Ivanti Neurons for ZTA. CVE-2024-21888 allows for privilege escalation and CVE-2024-21893 is a server-side request forgery in the SAML component which allows a threat actor to access certain restricted resources without authentication. We have no evidence of customers being impacted by CVE-2024-21888 at this time, and we are aware of a limited number of customers impacted by CVE-2024-21893. We are reporting these vulnerabilities in this knowledge base article as it is resolved in the patch detailed below. We have also provided new mitigation for supported versions where the patch has not been released. At the time of publication, the exploitation of CVE-2024-21893 appears to be targeted. Ivanti expects the threat actor to change their behavior and we expect a sharp increase in exploitation once this information is public – similar to what we observed on 11 January following the 10 January disclosure. Be aware that the situation is still evolving. Ivanti will update this knowledge base article as more information becomes available. To receive updates, please ensure you are following this article. Cause The table below provides details on the vulnerabilities: CVEDescriptionCVSSVectorCVE-2023-46805An authentication bypass vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.8.2AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:NCVE-2024-21887A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. This vulnerability can be exploited over the internet.9.1AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HCVE-2024-21888A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator.8.8AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HCVE-2024-21893A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.8.2AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N RESOLUTION Patch Availability Update 31 January: A patch addressing all known vulnerabilities is now available for Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1) and ZTA version 22.6R1.3. We are recommending as a best practice that all customers factory reset their appliance before applying the patch to prevent the threat actor from gaining upgrade persistence in your environment. Historically we have seen this threat actor attempt to gain persistence in customers’ environment, which is why we are recommending this action as a best practice for all customers. Please refer to this Knowledge Base article for instructions on how to factory reset your appliance. The remaining patches for supported versions will still be released on a staggered schedule. Instructions on how to upgrade to a supported version are provided below. The timing of patch release is subject to change as we prioritize the security and quality of each release. Please ensure you are following this article to receive updates as they become available. Ivanti highly recommends you upgrade to the latest version of Ivanti Connect Secure or Ivanti Policy Secure to ensure you have the latest security and stability fixes. More information about upgrading can be found here: https://forums.ivanti.com/s/article/How-to-The-Complete-Upgrade-Guide If you run into issues upgrading after following the instructions in the above KB, customers should open a ticket with support for assistance. *For customers wanting to upgrade to a higher version to accelerate your patch timing this guide can be followed HERE. Patches will be released following next minor version logic and lesser minor versions will not be given a one-off patch. DownloadCustomers can access the patch via the standard download portal, login required. Workaround Please note: If a customer has applied the patch, they do not need to apply the mitigation. If mitigation is applied before the patch, it can be removed once the patch has been applied. The mitigation removal XML is also found in the standard download portal. CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893 can be mitigated by importing mitigation.release.20240126.5.xml file via the download portal. Ivanti has created a new mitigation to be applied to the gateways. We are providing mitigation now while the remaining patches are in development to prioritize the best interest of our customers. The new mitigation XML can be applied, regardless of whether the previous one was applied. It will show as 3 patches being applied in the admin UI notification above the overview dashboard. Important: Customers should stop pushing configurations to appliances with the XML in place, and not resume pushing configurations until the appliance is patched. When the configuration is pushed to the appliance, it stops some key web services from functioning, and stops the mitigation from functioning. This only applies to customers who push configurations to appliances, including configuration pushes through Pulse One or nSA. This can occur regardless of a full or partial configuration push. We have seen evidence of threat actors attempting to manipulate Ivanti’s internal integrity checker (ICT). Out of an abundance of caution, we are recommending that all customers run the external ICT. We have added new functionality to the external ICT that will be incorporated into the internal ICT in the future. We regularly provide updates to the external and internal ICT, so customers should always ensure they are running the latest version of each. The ICT is a snapshot of the current state of the appliance and cannot necessarily detect threat actor activity if they have returned the appliance to a clean state. The ICT does not scan for malware or other Indicators of Compromise. We recommend as a best practice for customers to always run the ICT in conjunction with continuous monitoring. Refer to KB44755 – Pulse Connect Secure (PCS) Integrity Assurance for information on how to run the external ICT. Impact: XML file impacts or degrades the following features: * Ivanti Connect Secure: * NEW: SAML * The new mitigation will block all SAML communication and authentication. This will have limited functionality impact on customers who use LDAP for authentication. As a workaround, customers who use SAML for authentication can establish LDAP authentication for administrators and high priority users while the staggered patches are in development. * Admin REST APIs * Automation built with REST API for configuration and monitoring will be impacted. Administrators will be able to access the gateways using GW’s GUI interface. * End User Portal (Advanced HTML5) * This is specific to requests that launch a dynamically assigned HTML5 bookmark, existing pre-defined HTML5 bookmarks are not impacted. * End user JSAM functionality is impacted. * Rewriter functionality is unavailable once mitigation is applied. * Citrix StoreFront with HTML5 is impacted * Citrix storefront with ICA Client connecting over CTS/WSAM are not impacted * Auto-Launch of PSAL install * This only impacts new users or machines which have not previously logged in and installed PSAL. Manually download and install PSAL as a workaround. * Admin CRL Configuration * Admins will be unable to change the CRL configuration. Otherwise, the CRL functionality is not impacted by the mitigation. * Ivanti Policy Secure: * Profiler and Remote Profiler will be significantly degraded once mitigation is applied but will still allow authentication to an IPS appliance to happen. * UEBA adaptive authentication is unavailable once mitigation is applied. There may be additional impacts based on the customers’ configuration of their environment. If a customer is experiencing an impact outside of what has been identified, they should call support and open a support ticket. If it is validated for wide impact, we will update the KB. Ivanti’s focus is on getting the patch out to customers as quickly as possible (see below for schedule). Please ensure you are following this article to receive updates. DownloadCustomers can access XML and Removal XML via the standard download portal, login required. Note: * XML file is in the zipped format, please unzip and then import the XML file. * Import of this XML into any one node of a Cluster is enough. Refer to How to Add and Remove XML files to your Ivanti Connect Secure and Ivanti Policy Secure Appliances for directions on how to apply or remove the XML file. Customers can also access the mitigation and the latest ICT via their standard download portal and import the XML file. There is no need to reboot or restart services under the Ivanti Secure Appliance when applying the XML file, but please note that the external ICT will reboot the system. Limitations: * Ivanti did not test the mitigation on unsupported versions. Upgrade to a supported version before applying the mitigation. * The workaround is not recommended for a license server. We recommend minimizing who can connect to a license server. For example, place a license server on a management VLAN, or have a firewall enforce source-IP restrictions. Ivanti highly recommends you upgrade to the latest version of Ivanti Connect Secure or Ivanti Policy Secure to ensure you have the latest security and stability fixes. More information about upgrading can be found here: https://forums.ivanti.com/s/article/How-to-The-Complete-Upgrade-Guide If you run into issues upgrading after following the instructions in the above KB, customers should open a ticket with support for assistance. FAQ 1. How do I know if I’ve been compromised? * We have seen evidence of threat actors attempting to manipulate Ivanti’s internal integrity checker (ICT). Out of an abundance of caution, we are recommending that all customers run the external ICT. We have added new functionality to the external ICT that will be incorporated into the internal ICT in the future. * The ICT is a snapshot of the current state of the appliance and cannot necessarily detect threat actor activity if they have returned the appliance to a clean state. The ICT does not scan for malware or other Indicators of Compromise. We recommend as a best practice for customers to always run the ICT in conjunction with continuous monitoring. * If a customer finds evidence they may have been compromised, they should engage with a forensic provider. Ivanti is not a forensic provider and cannot perform this for them. 2. Are there any Indicators of Compromise we can validate outside of the integrity checker tool? * Indicators of Compromise will be shared with customers that have confirmed impact to move customers forward in their forensics investigation. Be aware that the situation is still evolving. Ivanti will update this knowledge base article as more information becomes available. To receive updates, please ensure you are following this article. If customers require additional information, they should open a ticket with support. * Customers can also reference Volexity’s blog or Mandiant’s blog for additional findings of the coordinated investigation. Ivanti thanks Volexity for their assistance in identifying and reporting the issue in Ivanti Connect Secure, Ivanti Policy Secure and ZTA gateways, and Mandiant for their continued support. 3. Are you aware of any active exploitation of the vulnerability? * We are aware of less than 20 customers impacted by the vulnerabilities prior to public disclosure. We are unable to discuss the specifics of our customers. 4. Why do I need to run the external ICT for these vulnerabilities? * We have added new functionality to the external ICT that will be incorporated into the internal ICT in the future. The ICT is a snapshot of the current state of the appliance and cannot necessarily detect threat actor activity if they have returned the appliance to a clean state. The ICT does not scan for malware or other Indicators of Compromise. We recommend as a best practice for customers to always run the ICT in conjunction with continuous monitoring. 5. When will patches be available for this vulnerability? * A patch is now available for Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1) and ZTA version 22.6R1.3. Patches for supported versions will be released in a staggered schedule with instructions on how to upgrade to a supported version. * Until a patch is available for their version, customers should apply the mitigation for Ivanti Connect Secure and Ivanti Policy Secure and run the external integrity checker tool. 6. Why is Ivanti doing a staggered release for patches? * Ivanti always prioritizes the security and quality of each release. To effectively achieve this in this instance, it requires a staggered release schedule. Our focus is on getting the patch out to customers as quickly as possible. 7. Why isn’t Ivanti releasing patches in version order? * We are releasing patches based upon telemetry information available to us from current installed solutions that notify us of the version number they are running. We are releasing patches for the highest number of installs first and then continuing in declining order. Our customers’ security is our top priority, and we are releasing patches as quickly as we can while ensuring the quality and security of each release. 8. Why isn’t Ivanti Policy Secure included in the new XML? * Ivanti Policy Secure is not designed to be an internet facing solution and CVE-2024-21893 is an internet facing vulnerability. For this reason, it is not included in the new mitigation release, but there is a patch that will be made available in the coming weeks which addresses all known vulnerabilities. 9. What should I do if I need help? * If you have questions after reviewing this information, you can log a case and/or request a call via the Success Portal 10. Is this a “supply chain attack”? * No. Based on our analysis, Ivanti has not found any indication that this vulnerability was introduced into our code development process maliciously. 11. Has Ivanti been compromised due to this vulnerability? * No. Ivanti does use our own tools and technology. Ivanti has no indication that it has been compromised. Ivanti uses enterprise-grade technology and security partners to detect, prevent, and respond to increasingly sophisticated threat actors. Article Number : 000090123 Article Promotion Level Normal * * Terms & Conditions * Privacy Policy * Copyright © 2019-2023 Ivanti. All rights reserved. Loading We use cookies to optimize the website performance, content, and the overall experience. Cookies Settings Continue without cookies Accept All Cookies PRIVACY PREFERENCE CENTER YOUR PRIVACY YOUR PRIVACY We use cookies on this site to improve your browser experience, analyze usage and traffic, tailor future content to your preferences, and make decisions about our website. Select "Allow All" to accept cookies and go directly to the site, or select a category of cookies from the menu to learn more about each type of cookie. More information * STRICTLY NECESSARY STRICTLY NECESSARY Always Active Strictly Necessary These cookies are required to enable core site functionality. Cookie Details * PERFORMANCE COOKIES PERFORMANCE COOKIES Performance Cookies These cookies allow us to analyze site performance and usage, so we can ensure you have the best experience. Cookie Details * PERSONALIZATION COOKIES PERSONALIZATION COOKIES Personalization Cookies These cookies can be set through our website by our advertising partners. They can be used by these companies to build a profile of your interests and show you relevant ads on other websites. Cookie Details * FUNCTIONAL COOKIES FUNCTIONAL COOKIES Functional Cookies These cookies enable the website to provide enhanced functionality and personalization. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. Cookie Details Back Button ADVERTISING COOKIES Filter Button Consent Leg.Interest Select All Vendors Select All Vendors Select All Hosts Select All Clear Filters Information storage and access Apply Save Settings Allow All