The patch is still missing. Malicious requests and arbitrary commands will continue to haunt corporate users for a long time to come.
Ivanti revealed the presence of two zero-day vulnerabilities in its Connect Secure and Policy Secure products, which were successfully exploited by attackers during a real attack. These vulnerabilities allow remote attackers to execute arbitrary commands on target gateways.
The first vulnerability, identified as CVE-2023-46805, bypasses authentication in the gateway web component, allowing attackers to gain access to restricted resources by bypassing security checks.
The second vulnerability tracked under the identifier CVE-2024-21887 is a command injection vulnerability that allows authenticated administrators to execute arbitrary commands on vulnerable devices by sending specially prepared requests.
When both zero-day vulnerabilities are combined into a single attack, according to experts at Volexity, attackers can execute arbitrary commands on all supported versions of affected products.
"If CVE-2024-21887 is used in conjunction with CVE-2023-46805, authentication is not required for exploitation, and hackers can create malicious requests and execute arbitrary commands in the system," Ivanti explained.
Experts recorded attacks using both vulnerabilities last December and previously linked them to the Chinese national group of intruders.
"We are now providing mitigation while the patch is still in development. It is extremely important that customers immediately take all necessary actions to ensure their full protection," Ivanti added.
The company says that the patches will be released in stages until the end of February. And while they are not available, zero days can be mitigated by importing security features using the file "mitigation.release.20240107.1.xml", available to customers via the Ivanti download portal.
According to Shodan search results provided by security expert Kevin Beaumont, more than 15,000 Connect Secure and Policy Secure gateways are currently available online. And since the patch hasn't been released yet, it's safe to assume that most of them are vulnerable.
In July, government hackers already exploited two other zero-day vulnerabilities (CVE-2023-35078 and CVE-2023-35081) in the Ivanti EPMM software to break into the networks of several Norwegian government organizations.
A month later, hackers exploited a third vulnerability ( CVE-2023-38035) in the Ivanti Sentry software to bypass API authentication on vulnerable devices.
Ivanti products are extremely popular and are used to manage IT assets and systems by more than 40,000 companies worldwide.
Ivanti revealed the presence of two zero-day vulnerabilities in its Connect Secure and Policy Secure products, which were successfully exploited by attackers during a real attack. These vulnerabilities allow remote attackers to execute arbitrary commands on target gateways.
The first vulnerability, identified as CVE-2023-46805, bypasses authentication in the gateway web component, allowing attackers to gain access to restricted resources by bypassing security checks.
The second vulnerability tracked under the identifier CVE-2024-21887 is a command injection vulnerability that allows authenticated administrators to execute arbitrary commands on vulnerable devices by sending specially prepared requests.
When both zero-day vulnerabilities are combined into a single attack, according to experts at Volexity, attackers can execute arbitrary commands on all supported versions of affected products.
"If CVE-2024-21887 is used in conjunction with CVE-2023-46805, authentication is not required for exploitation, and hackers can create malicious requests and execute arbitrary commands in the system," Ivanti explained.
Experts recorded attacks using both vulnerabilities last December and previously linked them to the Chinese national group of intruders.
"We are now providing mitigation while the patch is still in development. It is extremely important that customers immediately take all necessary actions to ensure their full protection," Ivanti added.
The company says that the patches will be released in stages until the end of February. And while they are not available, zero days can be mitigated by importing security features using the file "mitigation.release.20240107.1.xml", available to customers via the Ivanti download portal.
According to Shodan search results provided by security expert Kevin Beaumont, more than 15,000 Connect Secure and Policy Secure gateways are currently available online. And since the patch hasn't been released yet, it's safe to assume that most of them are vulnerable.
In July, government hackers already exploited two other zero-day vulnerabilities (CVE-2023-35078 and CVE-2023-35081) in the Ivanti EPMM software to break into the networks of several Norwegian government organizations.
A month later, hackers exploited a third vulnerability ( CVE-2023-38035) in the Ivanti Sentry software to bypass API authentication on vulnerable devices.
Ivanti products are extremely popular and are used to manage IT assets and systems by more than 40,000 companies worldwide.
