Ivanti security patches start to ship

Ivanti is shipping patches for vulnerabilities in its Connect Secure gateway that were first revealed on January 10.

But while working on its patches, Ivanti said it had found two new vulnerabilities.

“As part of our ongoing investigation into CVE-2023-46805 and CVE-2024-21887 we have identified additional vulnerabilities in Ivanti Connect Secure Ivanti Policy Secure, and Ivanti Neurons for ZTA,” its updated advisory stated.

“CVE-2024-21888 allows for privilege escalation, and CVE-2024-21893 is a server-side request forgery in the SAML component which allows a threat actor to access certain restricted resources without authentication.”

The two new vulnerabilities carry CVSS scores of 8.8 and 8.2 respectively.

Ivanti said it has seen a small number of customers impacted by CVE-2024-21893.

The patch for Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1) and ZTA version 22.6R1.3 needs a device reset to prevent an attacker gaining what Ivanti calls “upgrade persistence”.

That results in the patch process taking between three and four hours, the company said.

The vulnerabilities that kicked off Ivanti’s saga were CVE-2024-21887, a remotely exploitable command injection vulnerability with a CVSS score of 9.1; and CVE-2023-46805, an authentication bypass vulnerability.

Until the patches shipped, the company had been offering mitigation via configuration files.

According to the US Cyber and Infrastructure Security Agency (CISA), attackers worked out ways to bypass the mitigations.

Since the vulnerabilities emerged, both Volexity and Mandiant have seen exploits in the wild, and attributed that to a threat actor dubbed UTA0718.

Synacktiv’s Théo Letailleur explained in  a blog post that the exploits spotted by the two firms are trying to download and execute a backdoor known as Silver.