On January 31, 2024, Ivanti published an article disclosing two high severity vulnerabilities:
CVE-2024-21893: A server-side request forgery flaw present in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons. This vulnerability allows an unauthenticated threat actor to access restricted resources. Ivanti reports that a limited number of customers have been affected by this vulnerability.
CVE-2024-21888: A privilege escalation vulnerability in the web component of Ivanti Connect Secure and Ivanti Policy Secure. As of the latest information, there have been no observed exploits in the wild.
Arctic Wolf has not observed proof of concept (PoC) exploits for these vulnerabilities at the time of writing. Suspected Chinese-nexus threat actors targeted Ivanti Connect Secure leveraging two zero-day vulnerabilities (CVE-2023-46805 & CVE-2024-21887) earlier in January. Given this historical context and the targeting of various other Ivanti products by threat actors (as indicated by CISA’s Known Exploited Vulnerabilities catalog), we assess that threat actors will attempt to also further target CVE-2024-21893 & CVE-2024-21888.
Recommendation for CVE-2024-21893
Upgrade Ivanti Connect Secure to Fixed Version
Arctic Wolf strongly recommends upgrading Ivanti Connect Secure to the latest released versions.
This patch released for CVE-2024-21893 also patches the two other zero-day vulnerabilities (CVE-2023-46805 & CVE-2024-21887) from earlier in January.
Patches are available via the standard download portal for Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1) and ZTA version 22.6R1.3.
- The remaining supported versions will be patched in a staggered schedule, and a workaround in the section below has been provided by Ivanti. If customers have applied the patch, they do not need to apply the mitigation.
Please follow your organization’s patching and testing guidelines to avoid operational impact.
Workaround
CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893 can be mitigated by importing mitigation.release.20240126.5.xml file via the download portal.
Additionally, run the external integrity checker (ICT) to obtain a snapshot of the current state of your Ivanti appliance. This snapshot could be used to identify malicious files that may have been placed on a compromised Ivanti appliance.
