forums.ivanti.com Open in urlscan Pro
2606:4700::6811:8a6b  Public Scan

Submitted URL: https://mdr.esentire.com/e/651833/utm-campaign-cs-threatadvisory/2qvlwg/1131298948/h/xFdejBTWSa3eY_LhuKsjRRbiZUy9uaWkmP8B...
Effective URL: https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Co...
Submission: On January 31 via api from US — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

Loading
×Sorry to interrupt
CSS Error

Refresh

Skip to Main Content

Community
 * Home
 * All Products
 * Forum Groups
   
 * Contact Support
 * Getting Started
   
 * Advantage Learning
 * Ivanti Innovators
 * Ivanti User Groups
 * Ivanti Ideas
 * Product End of Life
 * Community & Portal Resources
 * Ivanti Developer Hub
 * More
   


Expand search
SearchLoading



Close search

Log inAccount Management

Ask a Question


Log in for access to this feature



KB CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection)
for Ivanti Connect Secure and Ivanti Policy Secure Gateways
Products / Topics :
Connect-Secure, Policy Secure
Created Date
Jan 10, 2024 5:48:13 PM
Last Modified Date
Jan 31, 2024 7:59:27 PM
Description

KB CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection)
for Ivanti Connect Secure and Ivanti Policy Secure Gateways
Description
Edit 1: January 10 - fixed linking to XML instructions
Edit 2: January 11 - Update to XML mitigation impacts
Edit 3: January 12 - Update to reflect factory reset recommendation for impacted
appliances.
Edit 4: January 13 - New ICT Version for 22.x R2 to address a bug preventing ICT
from running on certain Microsoft Azure appliances.
Edit 5: January 14 - Updated patch version and timing information for Ivanti
Policy Secure
Edit 6: January 15 - Update to customer impact FAQ and NEW  Recovery Guidance
linked HERE
Edit 7: January 20 - Update workaround section about known race condition when
pushing device configurations. 
Edit 8: January 26 - Updated patch timing information
Edit 9: January 31 – Patch availability update and disclosure of CVE-2024-21888
and CVE-2024-21893
Edit 10: January 31 – Known issue with downloads portal is being addressed.
Please try logging in again to retrieve your patch downloads. If you are met
with an error, direct download links can be reached here
Edit 11: January 31 – Known issue with downloads portal is addressed. Please
clear your cache and retry if errors persist. Corrected CVE# in description. 
Added new FAQs

Description:
Vulnerabilities have been discovered in Ivanti Connect Secure (ICS), (formerly
known as Pulse Connect Secure) and Ivanti Policy Secure gateways. These
vulnerabilities impact all supported versions – Version 9.x and 22.x (refer to
Granular Software Release EOL Timelines and Support Matrix for supported
versions).
Refer to KB43892 – What releases will Pulse Secure apply fixes to resolve
security vulnerabilities for our End of Engineering (EOE) and End of Life (EOL)
policies.
The Ivanti Neurons for ZTA gateways cannot be exploited when in production. If a
gateway for this solution is generated and left unconnected to a ZTA controller,
then there is a risk of exploitation on the generated gateway. Ivanti Neurons
for Secure Access is not vulnerable to these CVEs; however, the gateways being
managed are independently vulnerable to these CVEs. For this reason, Ivanti
Neurons for ZTA is included in the patch schedule below.
If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does
not require authentication and enables a threat actor to craft malicious
requests and execute arbitrary commands on the system. 
As part of our ongoing investigation into CVE-2023-46805 and CVE-2024-21887 we
have identified additional vulnerabilities in Ivanti Connect Secure Ivanti
Policy Secure, and Ivanti Neurons for ZTA. CVE-2024-21888 allows for privilege
escalation and CVE-2024-21893 is a server-side request forgery in the SAML
component which allows a threat actor to access certain restricted resources
without authentication.
We have no evidence of customers being impacted by CVE-2024-21888 at this time,
and we are aware of a limited number of customers impacted by CVE-2024-21893. We
are reporting these vulnerabilities in this knowledge base article as it is
resolved in the patch detailed below. We have also provided new mitigation for
supported versions where the patch has not been released.
At the time of publication, the exploitation of CVE-2024-21893 appears to be
targeted. Ivanti expects the threat actor to change their behavior and we expect
a sharp increase in exploitation once this information is public – similar to
what we observed on 11 January following the 10 January disclosure.
Be aware that the situation is still evolving. Ivanti will update this knowledge
base article as more information becomes available. To receive updates, please
ensure you are following this article.

 Cause


The table below provides details on the vulnerabilities:

CVEDescriptionCVSSVectorCVE-2023-46805An authentication bypass vulnerability in
the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure
allows a remote attacker to access restricted resources by bypassing control
checks.8.2AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:NCVE-2024-21887A command injection
vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti
Policy Secure allows an authenticated administrator to send specially crafted
requests and execute arbitrary commands on the appliance. This vulnerability can
be exploited over the
internet.9.1AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HCVE-2024-21888A privilege
escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x)
and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that
of an administrator.8.8AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HCVE-2024-21893A
server-side request forgery vulnerability in the SAML component of Ivanti
Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons
for ZTA allows an attacker to access certain restricted resources without
authentication.8.2AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

 


RESOLUTION


Patch Availability
Update 31 January: A patch addressing all known vulnerabilities is now available
for Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and
22.5R1.1) and ZTA version 22.6R1.3.
We are recommending as a best practice that all customers factory reset their
appliance before applying the patch to prevent the threat actor from gaining
upgrade persistence in your environment. Historically we have seen this threat
actor attempt to gain persistence in customers’ environment, which is why we are
recommending this action as a best practice for all customers. Please refer to
this Knowledge Base article for instructions on how to factory reset your
appliance. 

The remaining patches for supported versions will still be released on a
staggered schedule. Instructions on how to upgrade to a supported version are
provided below.
The timing of patch release is subject to change as we prioritize the security
and quality of each release. Please ensure you are following this article to
receive updates as they become available.
Ivanti highly recommends you upgrade to the latest version of Ivanti Connect
Secure or Ivanti Policy Secure to ensure you have the latest security and
stability fixes. More information about upgrading can be found here:
https://forums.ivanti.com/s/article/How-to-The-Complete-Upgrade-Guide
If you run into issues upgrading after following the instructions in the above
KB, customers should open a ticket with support for assistance.
*For customers wanting to upgrade to a higher version to accelerate your patch
timing this guide can be followed HERE. Patches will be released following next
minor version logic and lesser minor versions will not be given a one-off patch.

DownloadCustomers can access the patch via the standard download portal, login
required. 


Workaround

Please note: If a customer has applied the patch, they do not need to apply the
mitigation. If mitigation is applied before the patch, it can be removed once
the patch has been applied. The mitigation removal XML is also found in the
standard download portal.

CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893 can be
mitigated by importing mitigation.release.20240126.5.xml file via the download
portal.

Ivanti has created a new mitigation to be applied to the gateways. We are
providing mitigation now while the remaining patches are in development to
prioritize the best interest of our customers. The new mitigation XML can be
applied, regardless of whether the previous one was applied. It will show as 3
patches being applied in the admin UI notification above the overview dashboard.


Important: Customers should stop pushing configurations to appliances with the
XML in place, and not resume pushing configurations until the appliance is
patched. When the configuration is pushed to the appliance, it stops some key
web services from functioning, and stops the mitigation from functioning. This
only applies to customers who push configurations to appliances, including
configuration pushes through Pulse One or nSA. This can occur regardless of a
full or partial configuration push.

We have seen evidence of threat actors attempting to manipulate Ivanti’s
internal integrity checker (ICT). Out of an abundance of caution, we are
recommending that all customers run the external ICT. We have added new
functionality to the external ICT that will be incorporated into the internal
ICT in the future. We regularly provide updates to the external and internal
ICT, so customers should always ensure they are running the latest version of
each.

The ICT is a snapshot of the current state of the appliance and cannot
necessarily detect threat actor activity if they have returned the appliance to
a clean state. The ICT does not scan for malware or other Indicators of
Compromise. We recommend as a best practice for customers to always run the ICT
in conjunction with continuous monitoring.
 
Refer to KB44755 – Pulse Connect Secure (PCS) Integrity Assurance for
information on how to run the external ICT.
Impact: XML file impacts or degrades the following features:
 * Ivanti Connect Secure:
   * NEW: SAML
     * The new mitigation will block all SAML communication and authentication.
       This will have limited functionality impact on customers who use LDAP for
       authentication. As a workaround, customers who use SAML for
       authentication can establish LDAP authentication for administrators and
       high priority users while the staggered patches are in development.
   * Admin REST APIs
     * Automation built with REST API for configuration and monitoring will be
       impacted. Administrators will be able to access the gateways using GW’s
       GUI interface.
   * End User Portal (Advanced HTML5)
     * This is specific to requests that launch a dynamically assigned HTML5
       bookmark, existing pre-defined HTML5 bookmarks are not impacted.
   * End user JSAM functionality is impacted.
   * Rewriter functionality is unavailable once mitigation is applied.
   * Citrix StoreFront with HTML5 is impacted
     * Citrix storefront with ICA Client connecting over CTS/WSAM are not
       impacted
   * Auto-Launch of PSAL install
     * This only impacts new users or machines which have not previously logged
       in and installed PSAL. Manually download and install PSAL as a
       workaround.
   * Admin CRL Configuration
     * Admins will be unable to change the CRL configuration. Otherwise, the CRL
       functionality is not impacted by the mitigation.

 
 * Ivanti Policy Secure:
   * Profiler and Remote Profiler will be significantly degraded once mitigation
     is applied but will still allow authentication to an IPS appliance to
     happen.
   * UEBA adaptive authentication is unavailable once mitigation is applied.


There may be additional impacts based on the customers’ configuration of their
environment. If a customer is experiencing an impact outside of what has been
identified, they should call support and open a support ticket. If it is
validated for wide impact, we will update the KB. Ivanti’s focus is on getting
the patch out to customers as quickly as possible (see below for schedule).
Please ensure you are following this article to receive updates.

DownloadCustomers can access XML and Removal XML via the standard download
portal, login required. 


Note:
 * XML file is in the zipped format, please unzip and then import the XML file.
 * Import of this XML into any one node of a Cluster is enough.

Refer to How to Add and Remove XML files to your Ivanti Connect Secure and
Ivanti Policy Secure Appliances for directions on how to apply or remove the XML
file.

Customers can also access the mitigation and the latest ICT via their standard
download portal and import the XML file.

There is no need to reboot or restart services under the Ivanti Secure Appliance
when applying the XML file, but please note that the external ICT will reboot
the system.
Limitations:
 * Ivanti did not test the mitigation on unsupported versions. Upgrade to a
   supported version before applying the mitigation.
 * The workaround is not recommended for a license server. We recommend
   minimizing who can connect to a license server. For example, place a license
   server on a management VLAN, or have a firewall enforce source-IP
   restrictions.

Ivanti highly recommends you upgrade to the latest version of Ivanti Connect
Secure or Ivanti Policy Secure to ensure you have the latest security and
stability fixes. More information about upgrading can be found here:
https://forums.ivanti.com/s/article/How-to-The-Complete-Upgrade-Guide
If you run into issues upgrading after following the instructions in the above
KB, customers should open a ticket with support for assistance.


 


FAQ

 
 1. How do I know if I’ve been compromised? 

 * We have seen evidence of threat actors attempting to manipulate Ivanti’s
   internal integrity checker (ICT). Out of an abundance of caution, we are
   recommending that all customers run the external ICT. We have added new
   functionality to the external ICT that will be incorporated into the internal
   ICT in the future.
 * The ICT is a snapshot of the current state of the appliance and cannot
   necessarily detect threat actor activity if they have returned the appliance
   to a clean state. The ICT does not scan for malware or other Indicators of
   Compromise. We recommend as a best practice for customers to always run the
   ICT in conjunction with continuous monitoring.
 * If a customer finds evidence they may have been compromised, they should
   engage with a forensic provider. Ivanti is not a forensic provider and cannot
   perform this for them.

 2. Are there any Indicators of Compromise we can validate outside of the
    integrity checker tool?

 * Indicators of Compromise will be shared with customers that have confirmed
   impact to move customers forward in their forensics investigation. Be aware
   that the situation is still evolving. Ivanti will update this knowledge base
   article as more information becomes available. To receive updates, please
   ensure you are following this article. If customers require additional
   information, they should open a ticket with support.
 * Customers can also reference Volexity’s blog or Mandiant’s blog for
   additional findings of the coordinated investigation. Ivanti thanks Volexity
    for their assistance in identifying and reporting the issue in Ivanti
   Connect Secure, Ivanti Policy Secure and ZTA gateways, and Mandiant for their
   continued support.

 3. Are you aware of any active exploitation of the vulnerability?

 * We are aware of less than 20 customers impacted by the vulnerabilities prior
   to public disclosure. We are unable to discuss the specifics of our
   customers.

 4. Why do I need to run the external ICT for these vulnerabilities?

 * We have added new functionality to the external ICT that will be incorporated
   into the internal ICT in the future. The ICT is a snapshot of the current
   state of the appliance and cannot necessarily detect threat actor activity if
   they have returned the appliance to a clean state. The ICT does not scan for
   malware or other Indicators of Compromise. We recommend as a best practice
   for customers to always run the ICT in conjunction with continuous
   monitoring.

 5. When will patches be available for this vulnerability?

 * A patch is now available for Ivanti Connect Secure (versions 9.1R14.4,
   9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1) and ZTA version 22.6R1.3. Patches
   for supported versions will be released in a staggered schedule with
   instructions on how to upgrade to a supported version.
 * Until a patch is available for their version, customers should apply the
   mitigation for Ivanti Connect Secure and Ivanti Policy Secure and run the
   external integrity checker tool.

 6. Why is Ivanti doing a staggered release for patches?

 * Ivanti always prioritizes the security and quality of each release. To
   effectively achieve this in this instance, it requires a staggered release
   schedule. Our focus is on getting the patch out to customers as quickly as
   possible.

 7. Why isn’t Ivanti releasing patches in version order?

 * We are releasing patches based upon telemetry information available to us
   from current installed solutions that notify us of the version number they
   are running. We are releasing patches for the highest number of installs
   first and then continuing in declining order. Our customers’ security is our
   top priority, and we are releasing patches as quickly as we can while
   ensuring the quality and security of each release.

 8. Why isn’t Ivanti Policy Secure included in the new XML?

 * Ivanti Policy Secure is not designed to be an internet facing solution and
   CVE-2024-21893 is an internet facing vulnerability. For this reason, it is
   not included in the new mitigation release, but there is a patch that will be
   made available in the coming weeks which addresses all known vulnerabilities.

 9. What should I do if I need help? 

 * If you have questions after reviewing this information, you can log a case
   and/or request a call via the Success Portal 

 
 10. Is this a “supply chain attack”?
     * No. Based on our analysis, Ivanti has not found any indication that this
       vulnerability was introduced into our code development process
       maliciously.

 
 11. Has Ivanti been compromised due to this vulnerability?
     * No. Ivanti does use our own tools and technology. Ivanti has no
       indication that it has been compromised. Ivanti uses enterprise-grade
       technology and security partners to detect, prevent, and respond to
       increasingly sophisticated threat actors.





 
Article Number :
000090123
Article Promotion Level
Normal

 * 
 * Terms & Conditions
 * Privacy Policy
 * 

Copyright © 2019-2023 Ivanti. All rights reserved.



Loading

We use cookies to optimize the website performance, content, and the overall
experience.
Cookies Settings Continue without cookies Accept All Cookies



PRIVACY PREFERENCE CENTER




YOUR PRIVACY

YOUR PRIVACY

We use cookies on this site to improve your browser experience, analyze usage
and traffic, tailor future content to your preferences, and make decisions about
our website. Select "Allow All" to accept cookies and go directly to the site,
or select a category of cookies from the menu to learn more about each type of
cookie.
More information


 * STRICTLY NECESSARY
   
   STRICTLY NECESSARY
   
   Always Active
   Strictly Necessary
   
   These cookies are required to enable core site functionality.
   
   Cookie Details‎


 * PERFORMANCE COOKIES
   
   PERFORMANCE COOKIES
   
   Performance Cookies
   
   These cookies allow us to analyze site performance and usage, so we can
   ensure you have the best experience.
   
   Cookie Details‎


 * PERSONALIZATION COOKIES
   
   PERSONALIZATION COOKIES
   
   Personalization Cookies
   
   These cookies can be set through our website by our advertising partners.
   They can be used by these companies to build a profile of your interests and
   show you relevant ads on other websites.
   
   Cookie Details‎


 * FUNCTIONAL COOKIES
   
   FUNCTIONAL COOKIES
   
   Functional Cookies
   
   These cookies enable the website to provide enhanced functionality and
   personalization. They may be set by us or by third party providers whose
   services we have added to our pages. If you do not allow these cookies then
   some or all of these services may not function properly.
   
   Cookie Details‎

Back Button


ADVERTISING COOKIES

Filter Button
Consent Leg.Interest
Select All Vendors
Select All Vendors
Select All Hosts

Select All



Clear Filters

Information storage and access
Apply
Save Settings Allow All