Ivanti patches two exploited zero-day bugs

Ivanti is warning users against two zero-day vulnerabilities in its Connect Secure VPN devices after they were discovered and disclosed by security researchers from Volexity.

Volexity spotted the vulnerabilities while analysing a system that was attacked by a group it dubbed “UTA0178”, which it has “reason to believe … is a Chinese nation-state level threat actor”.

The bugs, described here, comprise an authentication bypass and a command injection bug, which can be chained together.

As Volexity’s Matthew Meltzer, Robert Jan Mora, Sean Koessel, Steven Adair, and Thomas Lancaster warn in a blog post, chaining CVE-2023-46805 and CVE-2024-21887 “make it trivial for attackers to run commands” on a compromised system.

Volexity discovered the zero-day vulnerabilities after they were used in an attack on a customer’s system.

The attacker’s activities were extensive: they stole configuration data, modified some files, downloaded others, and established a remote tunnel from the VPN appliance.

The attacker also made changes to evade the system’s integrity checker and added backdoors to a legitimate CGI file on the appliance to allow command execution.

They also installed a keylogger to gather user credentials.

“The information and credentials collected by the attacker allowed them to pivot to a handful of systems internally, and ultimately gain unfettered access to systems on the network," Volexity said.

The attacker also planted a webshell dubbed GLASSTOKEN to public-facing web servers. 

Ivanti has published a mitigation as an XML file on its download portal.

In a knowledge base article, Ivanti warns that some features of its Connect Secure and Policy Secure software will be impacted by the mitigations.