This live blog contains information regarding a vulnerability in Ivanti Connect Secure VPN. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on January 18, 2024.
Update 18 January 2024
14:30 | On the 16th of January, cybersecurity company Rapid7 has published a blog post giving a detailed description of the vulnerability and how it can be exploited. With that, a public exploit is now available. Earlier this week an increase in scanning activity for vulnerable instances was noticed. Cybersecurity company Volexity published on the 15th of January a blog stating they identified 1700 compromised instances.
In our initial blog we only mentioned Ivanti Connect Secure, but also Ivanti Policy Secure is impacted by this vulnerability. The patch release information for this product can be found in the table below.
| Version | Product | Target week |
| 9.1R18x | Ivanti Policy Secure | Week of 22 January |
| 22.5R1x | Ivanti Policy Secure | Week of 22 January |
| 9.1R17x | Ivanti Policy Secure | Week of 22 January |
| 22.4R1x | Ivanti Policy Secure | Week of 29 January |
| 22.6R1x | Ivanti Policy Secure | Week of 29 January |
| 9.1R16x | Ivanti Policy Secure | Week of 29 January |
Exploitation of the vulnerability is very likely. Combined with the exposed character of the affected solutions, this vulnerability is very critical and must be remediated as soon as possible.
Call to action
- Apply the workaround;
- Run the Integrity Checker tool;
- Apply the patch when released.
If any suspicious or malicious activity is detected during the scan with the Integrity Checker, or when the workaround was not applied before the 16th of January, consider the device compromised and please contact T-CERT.
The Tesorion Computer Emergency Response Team offers specialist support 24/7. In emergencies, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.
Update 11 January 2024
12:30 | On the 10th of January, cyber security company Volexity has published a blog describing the exploitation of two vulnerabilities in Ivanti Connect Secure VPN (formerly known as Pulse Connect Secure). The first vulnerability provides an authentication-bypass and is registered as CVE-2023-46805. The second vulnerability gives an attacker the ability to perform command-injection and is registered as CVE-2024-21887.
When combined, an attacker can run commands on the system without authentication and steal configuration data, modify existing files, download files and reverse tunnel from the Ivanti Connect Secure VPN appliance.
Exploitation of CVE-2023-46805 and CVE-2024-21887 has been observed in the wild, but exploit code or instructions are not publicly available. Ivanti has released a workaround while a patch is in development. The workaround does degrade certain features of the product, so check the impact of the workaround before deployment.
A schedule for the releasing of the patches is provided in this article. It is highly recommended to apply these security patches as soon as possible, but additional steps are required for mitigation, which are described in the articles of Volexity and Ivanti.
Reason and background of this blog
This blog contains information about vulnerabilities, the possible risk and advice on how to prevent or limit damage. Below are the possible risks, details and background information.
Vulnerability information
On the 10th of January, cyber security company Volexity has published a blog describing the exploitation of two vulnerabilities in Ivanti Connect Secure VPN (formerly known as Pulse Connect Secure). The first vulnerability provides an authentication-bypass and is registered as CVE-2023-46805. The second vulnerability gives an attacker the ability to perform command-injection and is registered as CVE-2024-21887.
When combined, an attacker can run commands on the system without authentication and steal configuration data, modify existing files, download files and reverse tunnel from the Ivanti Connect Secure VPN appliance.
Potential Risk
The vulnerability CVE-2023-46805 has a CVSS score of 8.2 and CVE-2024-21887 a CVSS score of 9.1. The CVSS scale runs from 0 to 10. Scores of 8.2 and 9.1 are not critical in itself. It is the combination of the two vulnerabilities that implies a high risk of exploitation with high impact.
The CVE-2023-46805 vulnerability is an authentication bypass vulnerability. CVE-2024-21887 is a command injection vulnerability. When combined, an attacker can run commands on the system without authentication and steal configuration data, modify existing files, download files and reverse tunnel from the Ivanti Connect Secure VPN appliance.
Exploitation of CVE-2023-46805 and CVE-2024-21887 has been observed in the wild since the beginning of December 2023, but exploit code or instructions are not publicly available. Combined with the exposed character of the affected solutions, this vulnerability is very critical and must be remediated as soon as possible.
Detail info
All supported versions of Ivanti Connect Secure VPN are vulnerable for CVE-2023-46805 and CVE-2024-21887, including:
- Version 9.x
- Version 22.x
Ivanti has released a workaround, while a patch is in development, eliminating the attack surface temporarily. Be aware that this workaround does degrades certain features. Please refer to the security article of Ivanti for the workaround, software patches and more details: https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
Ivanti has released a patch release overview. It is highly recommended to apply the software patch as soon as possible when released.
| Version | Product | Target Week |
| 9.1R14.4 | Ivanti Connect Secure | Week of 29 January |
| 9.1R15.3 | Ivanti Connect Secure | Week of 12 February |
| 9.1R16.3 | Ivanti Connect Secure | Week of 29 January |
| 9.1R17.2 | Ivanti Connect Secure | Week of 22 January |
| 9.1R18.3 | Ivanti Connect Secure | Week of 22 January |
| 22.1R6.1 | Ivanti Connect Secure | Week of 19 February |
| 22.2R4.1 | Ivanti Connect Secure | Week of 12 February |
| 22.3R1.1 | Ivanti Connect Secure | Week of 29 January |
| 22.4R1.1 | Ivanti Connect Secure | Week of 12 February |
| 22.4R2.2 | Ivanti Connect Secure | Week of 22 January |
| 22.5R1.1 | Ivanti Connect Secure | Week of 22 January |
| 22.5R2.2 | Ivanti Connect Secure | Week of 19 February |
| 22.6R1.1 | Ivanti Connect Secure | Week of 12 February |
| 22.6R2.2 | Ivanti Connect Secure | Week of 29 January |
| 9.1R14.2 | Ivanti Policy Secure | Week of 29 January |
| 9.1R15.1 | Ivanti Policy Secure | Week of 12 February |
| 9.1R16.1 | Ivanti Policy Secure | Week of 29 January |
| 9.1R17.2 | Ivanti Policy Secure | Week of 22 January |
| 9.1R18.3 | Ivanti Policy Secure | Week of 22 January |
| 22.1R1.1 | Ivanti Policy Secure | Week of 12 February |
| 22.1R6.1 | Ivanti Policy Secure | Week of 12 February |
| 22.3R1.1 | Ivanti Policy Secure | Week of 29 January |
| 22.2R3.1 | Ivanti Policy Secure | Week of 12 February |
| 22.4R1.1 | Ivanti Policy Secure | Week of 22 January |
| 22.5R1.1 | Ivanti Policy Secure | Week of 22 January |
| 22.6R1.1 | Ivanti Policy Secure | Week of 29 January |
| 22.5R1.5 | ZTA | Week of 29 January |
| 22.6R1.3 | ZTA | Week of 22 January |
Installation of the workaround (and later the security update) is not sufficient to remediate the risk of this vulnerability. Both Volexity and Ivanti advice to run the External Integrity Checker Tool to detect potential exploitation. This application is developed by Ivanti to ensure the full integrity of your Ivanti Connect Secure. Additionally, Volexity has provided additional steps to detect exploitation and indicators of compromise.
If any suspicious or malicious activity is detected in relation to this article, please contact T-CERT. The Tesorion Computer Emergency Response Team offers specialist support 24/7. In emergencies, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.
Sources
More information:
Subscribe
Do you want to be informed in time? Sign up for our technical updates
Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.
Tesorion uses your personal data to send out requested information and possibly for contact by telephone and for marketing and sales purposes. You can change your preferences whenever you want. Read our privacy policy for more information.
