An alert has been issued to Australians who are running or administering instances of Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS).
These vulnerabilities impact all supported versions – Version 9.x and 22.x. This alert is intended to be understood by technical users.
Customers are encouraged to apply any available mitigations and patches as soon as possible.
Background / What’s happened?
- Ivanti has released security advisories and mitigations for 2 critical vulnerabilities in the Ivanti Connect Secure and Ivanti Policy Secure gateways.
- CVE-2023-46085 is an authentication bypass vulnerability in the web component of ICS (9.x, 22.x) and IPS and allows a remote attacker to access restricted resources by bypassing control checks.
- CVE-2024-21887 is a command injection vulnerability in web components of ICS (9.x, 22.x) and IPS and allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
- Ivanti is aware of active exploitation of these vulnerabilities
Affected versions / applications:
- CVE-2023-46085: This vulnerability impacts all supported versions ICS (9.x, 22.x) and IPS
- CVE-2024-21887: This vulnerability impacts all supported versions ICS (9.x, 22.x) and IPS
Mitigation / How do I stay secure?
Organisations that use Ivanti Connect Secure and/or Ivanti Policy Secure should follow the mitigations advice provided in the Ivanti Security Advisory below:
Assistance / Where can I go for help?
Organisations or individuals that have been impacted or require assistance can contact us via 1300 CYBER1 (1300 292 371).
“The lack of a patch for these Ivanti vulnerabilities (CVE-2023-46805 and CVE-2024-21887) is a great concern. The anticipated wait time for a patch is several weeks – some product users will have to wait until February for a patch. As soon as a proof of concept is available for this exploit chain, we expect malicious activity to spike, especially based on historical activity targeting these products. Mitigations are available, but there’s no “easy button” as it’s all on the end user to know about the existence of these vulnerabilities and know how to apply the mitigations. Impacted organisations need to apply these as soon as possible,” said Satnam Narang, senior staff research engineer, Tenable.