Ivanti Connect Secure Vulnerabilities

Key Terms Explained

CVE: Common Vulnerabilities and Exposures, a system to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.

ICT scan: refers to the process of scanning Information and Communication Technology (ICT) systems, networks, or infrastructure to identify vulnerabilities, security flaws, or misconfigurations that could potentially be exploited by cyber attackers.

Remote Code Execution (RCE): Attackers run malicious code on an organisation's network.

Server-Side Request Forgery (SSRF): In a Server-Side Request Forgery (SSRF) attack, an attacker exploits server functionality to access or alter internal resources by manipulating URLs that the server interacts with. This can lead to unauthorsed access to server configurations, such as AWS metadata, connections to internal services like databases, or sending requests to internal services that shouldn't be externally accessible.

Web Shells: Malicious scripts used for remote server control and administration, used maliciously to control compromised web servers.

Understanding the Ivanti Connect Secure Vulnerabilities

Recent advisories, including CISA’s alert AA24-060B dated February 29, 2024, describes the exploitation of multiple vulnerabilities within Ivanti Connect Secure and Policy Secure gateways, notably CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. These vulnerabilities affect all unpatched versions of Ivanti Connect Secure and Policy Secure gateways, permitting unauthorised actions ranging from authentication bypass to executing commands with elevated privileges.

The vulnerabilities CVE-2023-46805 and CVE-2024-21887 were first reported by Volexity in early December 2023, spotlighting a critical flaw in Ivanti's security gateways. These vulnerabilities facilitated unauthenticated remote code execution (RCE), serving as primary entry points for attackers.

CVE-2023-46805: This vulnerability allows attackers to bypass authentication mechanisms, effectively granting them unauthorised access to the system. The flaw lies in the manner that Ivanti's gateways handle authentication requests, allowing skilled attackers to exploit this loophole to gain initial access.

CVE-2024-21887: Compounding the problem, CVE-2024-21887 permitted attackers to execute arbitrary code on the affected systems. Once the attackers bypassed authentication using CVE-2023-46805, they leveraged this vulnerability to run malicious commands, further compromising the integrity of the system.

Exploiting Web Shells: GLASSTOKEN and GIFTEDVISITOR

Upon gaining access, attackers deployed web shells—malicious scripts that enable remote administration. Two such web shells, GLASSTOKEN and GIFTEDVISITOR, were identified as tools used by attackers to maintain access and control over compromised devices. These web shells facilitate a range of malicious activities, from data exfiltration to deploying additional malware.

The Subsequent Discoveries: CVE-2024-21893, CVE-2024-22024, and CVE-2024-21888

As the investigation progressed, three more vulnerabilities came to light, each contributing to the complexity of the threat landscape.

CVE-2024-21893: Identified as a server-side request forgery (SSRF) vulnerability, it allows attackers to forge requests from the server, accessing restricted resources without needing to authenticate themselves. This vulnerability further amplifies the attackers' ability to probe and exploit internal systems.

CVE-2024-22024: Similar to CVE-2024-21893, this XML vulnerability in the SAML component also permits unauthenticated access to restricted resources, enabling attackers to bypass security controls designed to protect sensitive information.

CVE-2024-21888: A privilege escalation vulnerability that provides attackers with administrator-level access on the web component of Ivanti Connect Secure and Policy Secure. This flaw is particularly alarming as it allows attackers to gain elevated privileges, making it possible to execute commands, alter configurations, and gain persistent access.

Real-World Implications

The exploitation of these vulnerabilities has already led to devastating outcomes, including but not limited to data breaches, unauthorised access to sensitive information, and potentially a full domain compromise. The presence of web shells and the ability for lateral movement across the network underscores the sophisticated nature of the threat actors using these vulnerabilities. The sophisticated nature of these threat actors underscores the ongoing need for robust cybersecurity defences and vigilant monitoring of network activity.

Broadening the Attack Surface: Threat actors exploited these vulnerabilities for initial access, deploying web shells, then harvesting credentials. Their tactics included Living Off The Land by leveraging native tools and libraries within Ivanti appliances to expand domain access, ultimately leading to full domain compromises in some cases.

The Deceptive Clean Slate: The Ivanti integrity checker tool, run on Ivanti appliances designed to identify file mismatches, failed to detect compromises due to the sophisticated techniques employed by attackers, such as file overwriting, time-stamping, and runtime partition re-mounting. This false sense of security emphasises the unreliability of ICT scans in detecting compromises.

Indicators of Compromise and Detection Methods: Indicators of compromise (IoCs) and YARA rules provided by the CISA offered critical insights for identifying malicious activities. However, these indicators alone were insufficient without understanding the context and techniques used by attackers.

Mitigation and Response Strategies

Given the complexities and the severe implications of the Ivanti Connect Secure vulnerabilities, a comprehensive approach to mitigation and response is crucial.

1. Immediate Steps for Mitigation

• Patch and Update Systems: Ivanti has released patches for the vulnerabilities CVE-2023-46805, CVE-2024-21887, CVE-2024-21893, CVE-2024-22024, and CVE-2024-21888. Organisations should prioritise applying these patches to all affected systems. Regularly updating systems ensures that security gaps are closed promptly.
• Restrict Network Exposure: To minimise the risk of exploitation, restrict internet-facing access to Ivanti appliances. Use firewalls and access control lists (ACLs) to limit inbound and outbound connections to only those that are strictly necessary for business operations.

• Implement Strict Access Controls: Ensure that access to Ivanti gateways is limited based on the principle of least privilege. Use multi-factor authentication (MFA) wherever possible to add an additional layer of security for user access.
• Monitor and Audit Logs: Enhance monitoring of network traffic and Ivanti system logs. Look for indicators of compromise associated with the vulnerabilities, such as unusual outbound connections or unexpected changes in configuration files. Regular audits can help detect potential breaches early.

2. Advanced Defensive Measures

• Network Segmentation: Segment your network to isolate critical assets, limiting the potential impact of  compromises. Effective segmentation can also prevent lateral movement by attackers, reducing the risk of widespread network infiltration.
• Deploy Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS): Use IDS and IPS solutions to detect and prevent malicious activity. Configure/update these systems to recognise the patterns and signatures associated with the exploitation of these Ivanti vulnerabilities.

• Perform Regular Vulnerability Scans and Penetration Tests: Regularly scanning your networks for vulnerabilities and conducting penetration tests can identify weaknesses that might be exploited. These proactive measures allow for the remediation of vulnerabilities before they can be exploited by attackers.
• Incident Response Plan: Ensure that an updated incident response plan is in place. This plan should include specific procedures for dealing with the exploitation of Ivanti vulnerabilities, including steps for containment, eradication, and recovery. The plan should also outline how to communicate with stakeholders during and after such an incident.

3. Long-Term Strategies

• Cultivating a Cybersecurity Culture: Beyond technical solutions and strategies, the foundation of a resilient cybersecurity posture is the cultivation of a comprehensive security culture within organisations. This culture is characterised by regular training and awareness programs that empower all members of the organisation with the knowledge to recognize and mitigate potential security threats. Security should not be the sole responsibility of the IT department; instead, it requires the collective effort of every individual to maintain the integrity of the organization's digital assets.
• Collaborative Security - The Way Forward: In the digital age, no organisation exists in isolation. The interconnectedness of digital systems means that vulnerabilities in one system can potentially compromise a multitude of others. Therefore, collaboration among businesses, cybersecurity communities, and governmental agencies is crucial. Sharing threat intelligence, best practices, and mitigation strategies can significantly enhance collective security measures and prevent widespread exploitation of vulnerabilities like those found in unpatched Ivanti Connect Secure and Policy Secure Gateways..

• Review and Update Security Policies: Regularly review and update security policies to reflect the evolving threat landscape and the organization's changing needs. Policies should address access control, data protection, and incident response, among other critical security domains.
• The Importance of a Strategic Response to Vulnerabilities: The strategic importance of a well-orchestrated response to vulnerabilities cannot be overstated. An effective incident response plan not only addresses the immediate containment and eradication of threats but also ensures a swift recovery process that minimizes downtime and preserves trust among stakeholders. The refinement of these plans, based on lessons learned from past incidents and emerging threats, is vital for the ongoing security and resilience of organizations.

Conclusion

The Ivanti Connect Secure vulnerabilities serve as a stark reminder of the persistent and evolving nature of cyber threats. Addressing these threats requires not only immediate and detailed technical responses but also a long-term commitment to cultivating a culture of cybersecurity, fostering collaboration, and embracing principles of security by design. As organisations navigate the complexities of the digital landscape, the lessons learned from these vulnerabilities can guide the development of more resilient and secure systems, ultimately safeguarding the digital ecosystem at large.

The number of historical vulnerabilities found within Ivanti Connect Secure and Policy Secure Gateways reinforces the necessity of integrating security by design principles into the development and deployment of digital products and services. By prioritising security from the outset, Companies like Ivanti can significantly reduce vulnerabilities and mitigate the risk of exploitation. This approach by manufacturers, coupled with the adoption of secure by design practices, paves the way for a more secure digital future.