forums.ivanti.com
Open in
urlscan Pro
2606:4700::6811:8a6b
Public Scan
URL:
https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Co...
Submission: On February 05 via api from IN — Scanned from DE
Submission: On February 05 via api from IN — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
Loading
×Sorry to interrupt
CSS Error
Refresh
Skip to Main Content
Community
* Home
* All Products
* Forum Groups
* Contact Support
* Getting Started
* Advantage Learning
* Ivanti Innovators
* Ivanti User Groups
* Ivanti Ideas
* Product End of Life
* Community & Portal Resources
* Ivanti Developer Hub
* More
Expand search
SearchLoading
Close search
Log inAccount Management
Ask a Question
Log in for access to this feature
KB CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection)
for Ivanti Connect Secure and Ivanti Policy Secure Gateways
Products / Topics :
Connect-Secure, Policy Secure
Created Date
10.01.2024 17:48:13
Last Modified Date
02.02.2024 21:05:19
Description
KB CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection)
for Ivanti Connect Secure and Ivanti Policy Secure Gateways
Description
Edit 1: January 10 - fixed linking to XML instructions
Edit 2: January 11 - Update to XML mitigation impacts
Edit 3: January 12 - Update to reflect factory reset recommendation for impacted
appliances.
Edit 4: January 13 - New ICT Version for 22.x R2 to address a bug preventing ICT
from running on certain Microsoft Azure appliances.
Edit 5: January 14 - Updated patch version and timing information for Ivanti
Policy Secure
Edit 6: January 15 - Update to customer impact FAQ and NEW Recovery Guidance
linked HERE
Edit 7: January 20 - Update workaround section about known race condition when
pushing device configurations.
Edit 8: January 26 - Updated patch timing information
Edit 9: January 31 – Patch availability update and disclosure of CVE-2024-21888
and CVE-2024-21893
Edit 10: January 31 – Known issue with downloads portal is addressed. Please
clear your cache and retry if errors persist. Corrected CVE# in description.
Added new FAQs
Edit 11: February 1 - Updated patch release information and factory reset
recommendations
Update 1 February: A patch addressing all known vulnerabilities is now available
for Ivanti Connect Secure version 22.5R2.2 and Ivanti Policy Secure 22.5R1.1.
Please refer to the instructions provided on 31 January for best practices.
Update 31 January: A patch addressing all known vulnerabilities is now available
for Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and
22.5R1.1) and ZTA version 22.6R1.3.
Description:
Vulnerabilities have been discovered in Ivanti Connect Secure (ICS), (formerly
known as Pulse Connect Secure) and Ivanti Policy Secure gateways. These
vulnerabilities impact all supported versions – Version 9.x and 22.x (refer to
Granular Software Release EOL Timelines and Support Matrix for supported
versions).
Refer to KB43892 – What releases will Pulse Secure apply fixes to resolve
security vulnerabilities for our End of Engineering (EOE) and End of Life (EOL)
policies.
The Ivanti Neurons for ZTA gateways cannot be exploited when in production. If a
gateway for this solution is generated and left unconnected to a ZTA controller,
then there is a risk of exploitation on the generated gateway. Ivanti Neurons
for Secure Access is not vulnerable to these CVEs; however, the gateways being
managed are independently vulnerable to these CVEs. For this reason, Ivanti
Neurons for ZTA is included in the patch schedule below.
If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does
not require authentication and enables a threat actor to craft malicious
requests and execute arbitrary commands on the system.
As part of our ongoing investigation into CVE-2023-46805 and CVE-2024-21887 we
have identified additional vulnerabilities in Ivanti Connect Secure Ivanti
Policy Secure, and Ivanti Neurons for ZTA. CVE-2024-21888 allows for privilege
escalation and CVE-2024-21893 is a server-side request forgery in the SAML
component which allows a threat actor to access certain restricted resources
without authentication.
We have no evidence of customers being impacted by CVE-2024-21888 at this time,
and we are aware of a limited number of customers impacted by CVE-2024-21893. We
are reporting these vulnerabilities in this knowledge base article as it is
resolved in the patch detailed below. We have also provided new mitigation for
supported versions where the patch has not been released.
At the time of publication, the exploitation of CVE-2024-21893 appears to be
targeted. Ivanti expects the threat actor to change their behavior and we expect
a sharp increase in exploitation once this information is public – similar to
what we observed on 11 January following the 10 January disclosure.
Be aware that the situation is still evolving. Ivanti will update this knowledge
base article as more information becomes available. To receive updates, please
ensure you are following this article.
Cause
The table below provides details on the vulnerabilities:
CVEDescriptionCVSSVectorCVE-2023-46805An authentication bypass vulnerability in
the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure
allows a remote attacker to access restricted resources by bypassing control
checks.8.2AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:NCVE-2024-21887A command injection
vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti
Policy Secure allows an authenticated administrator to send specially crafted
requests and execute arbitrary commands on the appliance. This vulnerability can
be exploited over the
internet.9.1AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HCVE-2024-21888A privilege
escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x)
and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that
of an administrator.8.8AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HCVE-2024-21893A
server-side request forgery vulnerability in the SAML component of Ivanti
Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons
for ZTA allows an attacker to access certain restricted resources without
authentication.8.2AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
RESOLUTION
Patch Availability
Update 1 February: A patch addressing all known vulnerabilities is now available
for Ivanti Connect Secure version 22.5R2.2 and Ivanti Policy Secure 22.5R1.1.
Please refer to the instructions provided on 31 January for best practices.
Update 31 January: A patch addressing all known vulnerabilities is now available
for Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and
22.5R1.1) and ZTA version 22.6R1.3.
We are recommending as a best practice that all customers factory reset their
appliance before applying the patch to prevent the threat actor from gaining
upgrade persistence in your environment. Historically we have seen this threat
actor attempt to gain persistence in customers’ environment, which is why we are
recommending this action as a best practice for all customers.
It is Ivanti’s recommendation that if a customer has a clean External Integrity
Checker scan before and after the patch is applied, they can schedule the
factory reset of the appliance during their regular service window. If a
customer has a positive External Integrity Checker scan either before or after
the patch is applied, they should do a factory reset and follow the instructions
in this Knowledge Base article HERE
If a customer experiences issues factory resetting their appliance after
reviewing the above Knowledge Base article, they should open a support ticket
for assistance.
The remaining patches for supported versions will still be released on a
staggered schedule. Instructions on how to upgrade to a supported version are
provided below.
The timing of patch release is subject to change as we prioritize the security
and quality of each release. Please ensure you are following this article to
receive updates as they become available.
Ivanti highly recommends you upgrade to the latest version of Ivanti Connect
Secure or Ivanti Policy Secure to ensure you have the latest security and
stability fixes. More information about upgrading can be found here:
https://forums.ivanti.com/s/article/How-to-The-Complete-Upgrade-Guide
If you run into issues upgrading after following the instructions in the above
KB, customers should open a ticket with support for assistance.
*For customers wanting to upgrade to a higher version to accelerate your patch
timing this guide can be followed HERE. Patches will be released following next
minor version logic and lesser minor versions will not be given a one-off patch.
DownloadCustomers can access the patch via the standard download portal, login
required.
Workaround
Please note: If a customer has applied the patch, they do not need to apply the
mitigation. If mitigation is applied before the patch, it can be removed once
the patch has been applied. The mitigation removal XML is also found in the
standard download portal.
CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893 can be
mitigated by importing mitigation.release.20240126.5.xml file via the download
portal.
Ivanti has created a new mitigation to be applied to the gateways. We are
providing mitigation now while the remaining patches are in development to
prioritize the best interest of our customers. The new mitigation XML can be
applied, regardless of whether the previous one was applied. It will show as
three
patches being applied in the admin UI notification above the overview
dashboard.
Important: Customers should stop pushing configurations to appliances with the
XML in place, and not resume pushing configurations until the appliance is
patched. When the configuration is pushed to the appliance, it stops some key
web services from functioning, and stops the mitigation from functioning. This
only applies to customers who push configurations to appliances, including
configuration pushes through Pulse One or nSA. This can occur regardless of a
full or partial configuration push.
We have seen evidence of threat actors attempting to manipulate Ivanti’s
internal integrity checker (ICT). Out of an abundance of caution, we are
recommending that all customers run the external ICT. We have added new
functionality to the external ICT that will be incorporated into the internal
ICT in the future. We regularly provide updates to the external and internal
ICT, so customers should always ensure they are running the latest version of
each.
The ICT is a snapshot of the current state of the appliance and cannot
necessarily detect threat actor activity if they have returned the appliance to
a clean state. The ICT does not scan for malware or other Indicators of
Compromise. We recommend as a best practice for customers to always run the ICT
in conjunction with continuous monitoring.
Refer to KB44755 – Pulse Connect Secure (PCS) Integrity Assurance for
information on how to run the external ICT.
Impact: XML file impacts or degrades the following features:
* Ivanti Connect Secure:
* NEW: SAML
* The new mitigation will block all SAML communication and authentication.
This will have limited functionality impact on customers who use LDAP for
authentication. As a workaround, customers who use SAML for
authentication can establish LDAP authentication for administrators and
high priority users while the staggered patches are in development.
* Admin REST APIs
* Automation built with REST API for configuration and monitoring will be
impacted. Administrators will be able to access the gateways using GW’s
GUI interface.
* End User Portal (Advanced HTML5)
* This is specific to requests that launch a dynamically assigned HTML5
bookmark, existing pre-defined HTML5 bookmarks are not impacted.
* End user JSAM functionality is impacted.
* Rewriter functionality is unavailable once mitigation is applied.
* Citrix StoreFront with HTML5 is impacted
* Citrix storefront with ICA Client connecting over CTS/WSAM are not
impacted
* Auto-Launch of PSAL install
* This only impacts new users or machines which have not previously logged
in and installed PSAL. Manually download and install PSAL as a
workaround.
* Admin CRL Configuration
* Admins will be unable to change the CRL configuration. Otherwise, the CRL
functionality is not impacted by the mitigation.
* Ivanti Policy Secure:
* Profiler and Remote Profiler will be significantly degraded once mitigation
is applied but will still allow authentication to an IPS appliance to
happen.
* UEBA adaptive authentication is unavailable once mitigation is applied.
There may be additional impacts based on the customers’ configuration of their
environment. If a customer is experiencing an impact outside of what has been
identified, they should call support and open a support ticket. If it is
validated for wide impact, we will update the KB. Ivanti’s focus is on getting
the patch out to customers as quickly as possible (see below for schedule).
Please ensure you are following this article to receive updates.
DownloadCustomers can access XML downloads via that standard download portal,
login required.
Note:
* XML file is in the zipped format, please unzip and then import the XML file.
* Import of this XML into any one node of a Cluster is enough.
For directions on how to apply or remove the XML file see HERE .
Customers can also access the mitigation and the latest ICT via their standard
download portal and import the XML file.
There is no need to reboot or restart services under the Ivanti Secure Appliance
when applying the XML file, but please note that the external ICT will reboot
the system.
Limitations:
* Ivanti did not test the mitigation on unsupported versions. Upgrade to a
supported version before applying the mitigation.
* The workaround is not recommended for a license server. We recommend
minimizing who can connect to a license server. For example, place a license
server on a management VLAN, or have a firewall enforce source-IP
restrictions.
Ivanti highly recommends you upgrade to the latest version of Ivanti Connect
Secure or Ivanti Policy Secure to ensure you have the latest security and
stability fixes. More information about upgrading can be found here:
https://forums.ivanti.com/s/article/How-to-The-Complete-Upgrade-Guide
If you run into issues upgrading after following the instructions in the above
KB, customers should open a ticket with support for assistance.
FAQ
1. How do I know if I’ve been compromised?
* We have seen evidence of threat actors attempting to manipulate Ivanti’s
internal integrity checker (ICT). Out of an abundance of caution, we are
recommending that all customers run the external ICT. We have added new
functionality to the external ICT that will be incorporated into the internal
ICT in the future.
* The ICT is a snapshot of the current state of the appliance and cannot
necessarily detect threat actor activity if they have returned the appliance
to a clean state. The ICT does not scan for malware or other Indicators of
Compromise. We recommend as a best practice for customers to always run the
ICT in conjunction with continuous monitoring.
* If a customer finds evidence they may have been compromised, they should
engage with a forensic provider. Ivanti is not a forensic provider and cannot
perform this for them.
2. Are there any Indicators of Compromise we can validate outside of the
integrity checker tool?
* Indicators of Compromise will be shared with customers that have confirmed
impact to move customers forward in their forensics investigation. Be aware
that the situation is still evolving. Ivanti will update this knowledge base
article as more information becomes available. To receive updates, please
ensure you are following this article. If customers require additional
information, they should open a ticket with support.
* Customers can also reference Volexity’s blog or Mandiant’s blog for
additional findings of the coordinated investigation. Ivanti thanks Volexity
for their assistance in identifying and reporting the issue in Ivanti
Connect Secure, Ivanti Policy Secure and ZTA gateways, and Mandiant for their
continued support.
3. Are you aware of any active exploitation of the vulnerability?
* We are aware of less than 20 customers impacted by the vulnerabilities prior
to public disclosure. We are unable to discuss the specifics of our
customers.
4. Why do I need to run the external ICT for these vulnerabilities?
* We have added new functionality to the external ICT that will be incorporated
into the internal ICT in the future. The ICT is a snapshot of the current
state of the appliance and cannot necessarily detect threat actor activity if
they have returned the appliance to a clean state. The ICT does not scan for
malware or other Indicators of Compromise. We recommend as a best practice
for customers to always run the ICT in conjunction with continuous
monitoring.
5. When will patches be available for this vulnerability?
* A patch is now available for Ivanti Connect Secure (versions 9.1R14.4,
9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1) and ZTA version 22.6R1.3. Patches
for supported versions will be released in a staggered schedule with
instructions on how to upgrade to a supported version.
* Until a patch is available for their version, customers should apply the
mitigation for Ivanti Connect Secure and Ivanti Policy Secure and run the
external integrity checker tool.
6. Why is Ivanti doing a staggered release for patches?
* Ivanti always prioritizes the security and quality of each release. To
effectively achieve this in this instance, it requires a staggered release
schedule. Our focus is on getting the patch out to customers as quickly as
possible.
7. Why isn’t Ivanti releasing patches in version order?
* We are releasing patches based upon telemetry information available to us
from current installed solutions that notify us of the version number they
are running. We are releasing patches for the highest number of installs
first and then continuing in declining order. Our customers’ security is our
top priority, and we are releasing patches as quickly as we can while
ensuring the quality and security of each release.
8. Why isn’t Ivanti Policy Secure included in the new XML?
* Ivanti Policy Secure is not designed to be an internet facing solution and
CVE-2024-21893 is an internet facing vulnerability. For this reason, it is
not included in the new mitigation release, but there is a patch that will be
made available in the coming weeks which addresses all known vulnerabilities.
9. What should I do if I need help?
* If you have questions after reviewing this information, you can log a case
and/or request a call via the Success Portal
10. Is this a “supply chain attack”?
* No. Based on our analysis, Ivanti has not found any indication that this
vulnerability was introduced into our code development process
maliciously.
11. Has Ivanti been compromised due to this vulnerability?
* No. Ivanti does use our own tools and technology. Ivanti has no
indication that it has been compromised. Ivanti uses enterprise-grade
technology and security partners to detect, prevent, and respond to
increasingly sophisticated threat actors.
Article Number :
000090123
Article Promotion Level
Normal
*
* Terms & Conditions
* Privacy Policy
*
Copyright © 2019-2023 Ivanti. All rights reserved.
Loading
We use cookies to optimize the website performance, content, and the overall
experience.
Cookies Settings Continue without cookies Accept All Cookies
PRIVACY PREFERENCE CENTER
YOUR PRIVACY
YOUR PRIVACY
We use cookies on this site to improve your browser experience, analyze usage
and traffic, tailor future content to your preferences, and make decisions about
our website. Select "Allow All" to accept cookies and go directly to the site,
or select a category of cookies from the menu to learn more about each type of
cookie.
More information
* STRICTLY NECESSARY
STRICTLY NECESSARY
Always Active
Strictly Necessary
These cookies are required to enable core site functionality.
Cookie Details
* PERFORMANCE COOKIES
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to analyze site performance and usage, so we can
ensure you have the best experience.
Cookie Details
* PERSONALIZATION COOKIES
PERSONALIZATION COOKIES
Personalization Cookies
These cookies can be set through our website by our advertising partners.
They can be used by these companies to build a profile of your interests and
show you relevant ads on other websites.
Cookie Details
* FUNCTIONAL COOKIES
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalization. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then
some or all of these services may not function properly.
Cookie Details
Back Button
ADVERTISING COOKIES
Filter Button
Consent Leg.Interest
Select All Vendors
Select All Vendors
Select All Hosts
Select All
Clear Filters
Information storage and access
Apply
Save Settings Allow All