Ivanti documents a brand-new zero-day and belatedly ships patches; Mandiant is reporting “broad exploitation activity.”
January 31, 2024 By Ryan Naraine
Enterprise IT software vendor Ivanti is calling urgent attention to two new high-severity vulnerabilities in its Connect Secure and Policy Secure VPN products, warning that one of the bugs was discovered during investigation of ongoing zero-day attacks.
The new alert comes on the same day Ivanti belatedly shipped patches for critical bugs being exploited by multiple hacking gangs and adds to the urgency for Ivanti customers to test and deploy available fixes.
After struggling to meet its own patch delivery timeline, Ivanti on Wednesday started rolling out fixes on a staggered schedule and added documentation for two new security defects.
“As part of our ongoing investigation into CVE-2023-46805 and CVE-2024-21887 we have identified additional vulnerabilities in Ivanti Connect Secure Ivanti Policy Secure, and Ivanti Neurons for ZTA,” the company warned.
Ivanti said one of the flaws allows for privilege escalation while the second is a server-side request forgery in the SAML component that allows a threat actor to access certain restricted resources without authentication.
“We are aware of a limited number of customers impacted by CVE-2024-21887,” Ivanti said.
In all, Ivanti is documenting four separate issues:
CVE-2023-46805 — An authentication bypass vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks. CVSS severity score 8.2/10. Confirmed exploited as zero-day.
CVE-2024-21887 — A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. This vulnerability can be exploited over the internet. CVSS 9.1/10. Exploitation confirmed.
CVE-2024-21888 — A privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator. CVSS 8.8/10.
CVE-2024-21893 — A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication. CVSS severity score 8.2/10. Targeted exploitation confirmed.
