On January 10, 2024, Ivanti has released an advisory about two critical vulnerabilities in Ivanti Connect Secure (ICS) and Policy Secure gateways. These vulnerabilities, identified as CVE-2023-46805 and CVE-2024-21887, have been exploited in the wild and can allow remote attackers to execute arbitrary commands on targeted gateways.

Technical Blog

Advisory: Critical Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways

Published on January 11, 2024

On January 10, 2024, Ivanti released an important advisory regarding two critical vulnerabilities found in their popular products Connect Secure (ICS) and Policy Secure gateways. Attackers have already exploited these vulnerabilities, which are known as CVE-2023-46805 and CVE-2024-21887, and can potentially result in the execution of arbitrary commands on targeted gateways.

Technical Details

The first vulnerability, CVE-2023-46805, is classified with a CVSS score of 8.2. This vulnerability enables an authentication bypass in the gateways' web component, allowing attackers to access restricted resources without proper authorization.

The second vulnerability, CVE-2024-21887, has a CVSS score of 9.1. It is a command injection vulnerability that enables authenticated administrators to execute arbitrary commands on vulnerable appliances by sending specially crafted requests.

When combined, these two vulnerabilities allow attackers to run arbitrary commands on all supported versions of the impacted products, without requiring authentication.

Affected Products

The vulnerabilities impact all supported versions of Ivanti Connect Secure (ICS) and Policy Secure gateways.

Recommendations

While Ivanti is working on releasing the patches, CERT-EU recommends applying the workaround mitigation.release.20240107.1.xml and running the external Integrity Checker Tool (ICT) as soon as possible [3].

Mitigation

Until the patches are made available, users can mitigate the zero-day vulnerabilities by importing the mitigation.release.20240107.1.xml file provided through Ivanti's download portal [3]. Additionally, to counteract observed attempts by threat actors to manipulate Ivanti's internal integrity checker (ICT), it is advisable for customers to run the external ICT [3].

References

1. Ivanti Connect Secure Zero-Day Vulnerabilities
2. CVE-2023-46805 Authentication Bypass, CVE-2024-21887 Command Injection in Connect Secure and Policy Secure Gateways
3. Ivanti Gateway Vulnerability Mitigation

```htmlMITRE ATT&CK Matrix Advisory Analysis

MITRE ATT&CK Matrix from Ivanti Advisory

Advisory Date: January 10, 2024

Critical Vulnerabilities: CVE-2023-46805 and CVE-2024-21887

Enterprise

Mobile

ICS

Mitigations

References:

• BleepingComputer Advisory Note
• Ivanti Forum CVE-2023-46805 and CVE-2024-21887
• Ivanti Mitigation Instructions

``` In the constructed matrix above, specific ATT&CK tactics and techniques have been assigned to the vulnerabilities listed in the advisory. It is important to note that these mappings are not exhaustive and serve as potential categorizations based on the provided information. Sub-techniques have also been added where appropriate, but some entries do not have corresponding sub-techniques listed in the advisory. The Mobile section does not include specific techniques as the advisory does not provide Mobile-specific information. The mitigations section includes the advised immediate actions to address the vulnerabilities, as per the linked references.

This post was generated entirely by an AI language model. Source: CERT EU