Given how wide Ivanti is I wanted to share the news. Please see the below information for more details from Ivanti. Also included is a vendor post for any security people out there that are looking for IOCs. I am not affiliated with this organization; they just happen to be the first ones to discover it.
Ivanti has also publicly released the CVEs to these vulnerabilities. Patch will likely not be ready until the week of Jan 22nd. There are mitigating actions one can take.
https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
##CVE-2023-46805
CVSS : 8.2
An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.
##CVE-2024-21887
CVSS : 9.1
A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
Odd how this doesn’t seem to generate more comments considering how big they are in this space.
Yeah we deployed the mitigation right away and as far as we can see we weren’t affected. Just too bad there’s no easy / clear way to check for the latter.
I gotta say this has been a pretty negative experience for us, the temporary mitigation broke the network fileshare access feature in the portal and the patch was released a week later than promised, then when going to download the patch, their licensing/download portal has crashed presumably due to capacity issues. The fileshare browsing in the portal was the one thing keeping us on the Pulse Secure platform but with our appliance EOL next year, we will be shopping competitors. They are also recommending a full factory reset to erase the device and start fresh, a 3-4 hour process. I did contact Ivanti support about the error we receiving when browsing folder more than 3 deep and their response was “That is a very strange message i can ask my team to see if they have encountered this issue and if they have a solution.” It’s been 48 hours and crickets.
The amount of vulnerabilities in VPN products. The irony of course being that half the VPNs out there only exist because people were told you couldn’t put Remote Desktop Gateway online without a VPN (RD Gateway with MFA hasn’t had major vulnerabilities approaching what Pulse Secure, Fortigates or Citrix have had).
Yeah it’s frustrating and Ivanti just leave you with a “we can’t help there”
Any gotchas or downsides associated with that mitigation? Ivanti’s page listing the way it hardens the system made it sound pretty intense.