Ivanti Connect Secure and Policy Secure Attack
Watch Video
Ivanti Connect Secure and Policy Secure Attack Video
Zero-day vulnerabilities actively exploited
Widespread exploitation of zero-day vulnerabilities affecting Ivanti Connect Secure and Policy Secure gateways underway. Learn More »
Common Vulnerabilities and Exposures
CVE-2023-46805
CVE-2024-21887
CVE-2024-21888
CVE-2024-21893
CVE-2024-22024
Background
CVE-2023-46805 Is an Authentication ByPass Vulnerability found in the web component of Ivanti Connect Secure (ICS) and Ivanti Policy Secure to allow a remote attacker to access restricted resources by bypassing control checks. CVE-2024-21887 is a command injection vulnerability in web components of ICS and Ivanti Policy Secure. If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system.
Threat Radar Overall Score: 4.2
CVSS Rating | 9.0 | |
FortiRecon Score | 96/100 | |
Known Exploited | Yes | |
Exploit Prediction Score | 97.33% | |
FortiGuard Telemetry | 17357 |
Latest Development
Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.
Jan 10, 2024: Ivanti disclosed two new vulnerabilities in their ICS and Ivanti Policy Secure gateways: CVE-2023-46805 and CVE-2024-21887.
https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways
Jan 18, 2024: FortiGuard Labs released a Threat Signal on Ivanti Connect Secure and Policy Secure Gateways Zero-day Vulnerabilities (CVE-2023-46805 and CVE-2024-21887)
https://www.fortiguard.com/threat-signal-report/5371/
Jan 19, 2024: CISA Issues Emergency Directive to Federal Agencies on Ivanti Zero-Day Exploits. This Directive requires agencies to implement Ivanti’s published mitigation immediately to the affected products in order to prevent future exploitation
https://www.cisa.gov/news-events/directives/ed-24-01-mitigate-ivanti-connect-secure-and-ivanti-policy-secure-vulnerabilities
Jan 22, 2024: FortiGuard Labs has released IPS signatures to detect and block Authentication Bypass (CVE-2023-46805) and Server-Side Request Forgery Vulnerability (CVE-2024-21893) is observing high IPS activity since the release of the signatures.
Jan 22, 2024: Ivanti plans to begin releasing patches addressing these vulnerabilities on a schedule. Until patches are available, Ivanti has provided a workaround for the users to mitigate exploitation risks
https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways
Feb 01, 2024: Ivanti identified additional vulnerabilities in ICS and Ivanti Policy Secure, and Ivanti Neurons for ZTA. CVE-2024-21888 allows for privilege escalation and CVE-2024-21893 is a server-side request forgery in the SAML component which allows a threat actor to access certain restricted resources without authentication. Vendor mentions in the advisory that CVE-2024-21893 appears to be seen in some targeted attacks and expects an increase in the attacks. CVE-2024-21893 has also been added to CISA's known exploited vulnerability catalog (KEV).
Feb 9, 2024: Ivanti disclosed a fifth vulnerability- CVE-2024-22024 (XXE) for ICS and Ivanti Policy Secure.
https://forums.ivanti.com/s/article/CVE-2024-22024-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US
Feb 13, 2024: A new report by Orange Cyberdefense shows attackers using CVE-2024-21893 to install a new backdoor named DSLog.
https://www.orangecyberdefense.com/fileadmin/general/pdf/Ivanti_Connect_Secure_-_Journey_to_the_core_of_the_DSLog_backdoor.pdf
Please note, this is an ongoing investigation and as the situation is evolving, FortiGuard Labs will update and add new protections accordingly.
Feb 29, 2024: CISA released a Cybersecurity Advisory on Threat Actors Exploiting Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b
Attack Sequence
Actions taken by cyber attacker or a malicious entity to compromise a target system or network.
Attack Sequence
Attack Sequence Video
FortiGuard Cybersecurity Framework
Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.
-
Lure
-
Decoy VM
-
AV
-
AV (Pre-filter)
-
IPS
-
Web App Security
-
IOC
-
Outbreak Detection
-
Threat Hunting
-
Playbook
-
Assisted Response Services
-
Automated Response
-
NOC/SOC Training
-
End-User Training
-
Attack Surface Hardening
-
Business Reputation
Lure Redirect an attacker to engage with a decoy instead of a real Ivanti Connect Secure and Policy Secure Devices
Decoy VM Detects attack attemtps and monitor malicious activities on the network
AV Detect and block attack known malware reated to Ivanti Connect Secure and Policy Secure Attack
AV (Pre-filter) Detect and block attack known malware reated to Ivanti Connect Secure and Policy Secure Attack
IPS Detect and block attack attempts targeting Ivanti Connect Secure and Policy Secure
Web App Security Detect and block attack attempts targeting Ivanti Connect Secure and Policy Secure Authentication Bypass
Outbreak Detection
Threat Hunting
Playbook
Assisted Response Services Experts to assist you with analysis, containment and response activities.
Automated Response Services that can automaticlly respond to this outbreak.
NOC/SOC Training Train your network and security professionals and optimize your incident response to stay on top of the cyberattacks.
End-User Training Raise security awareness to your employees that are continuously being targetted by phishing, drive-by download and other forms of cyberattacks.
Attack Surface Hardening Check Security Fabric devices to build actionable configuration recommendations and key indicators.
Business Reputation Know attackers next move to protect against your business branding.
Threat Intelligence
Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.
Loading ...
Indicators of compromise
IOC Indicator List
Indicators of compromise
IOC Threat Activity
Last 30 days
Chg
Avg 0
Mitre Matrix
Click here for the ATT&CK Matrix
References
Sources of information in support and relation to this Outbreak and vendor.