In mid-December 2023, Volexity observed UTA0178–a potential Chinese nation-state threat actor–leveraging two zero-day vulnerabilities in Ivanti Connect Secure (formerly known as Pulse Connect Secure) VPN appliances to steal configuration data, modify and download files, establish a reverse tunnel, and ultimately place webshells (GLASSTOKEN) on multiple internal and external-facing web servers. The two vulnerabilities, CVE-2023-46805 and CVE-2024-21887, were chained together to achieve unauthenticated remote code execution (RCE) on the impacted appliances and enable follow-on activity.
|CVSS: 9.1 – Critical
|Command Injection – Vulnerability in the web component that could allow an authenticated threat actor to send specially crafted requests and execute arbitrary commands on the vulnerable appliance.
|CVSS: 8.2 – High
|Authentication Bypass – Vulnerability in the web components that could allow a remote threat actor to access the vulnerable appliance by bypassing control checks.
When chained together, the vulnerabilities allowed the threat actors to run commands on the system and ultimately gain access to other systems on the network. Volexity largely observed reconnaissance and exploration of the network by UTA0178, outside of the deployment of webshells. Ivanti is currently aware of less than 10 customers impacted by the active exploitation of these vulnerabilities.
Note: Although active exploitation was observed on Ivanti Connect Secure appliances, the two vulnerabilities also impact all supported versions of Ivanti Policy Secure Gateways.
Recommendations for CVE-2024-21887 and CVE-2023-46805
Apply Ivanti’s Provided Workaround and run the External Integrity Checker
Currently, Ivanti does not have patches available to remediate the two vulnerabilities; Ivanti will be releasing the patches in a staggered schedule beginning the week of January 22nd. A complete patch availability timeline can be found in Ivanti’s security advisory.
We strongly recommend importing Ivanti’s mitigation.release.20240107.1.xml file via the download portal (login required) until Ivanti releases patches for your organization’s specific version. Directions on how to apply or remove the XMF file can be found here (login required).
Additionally, run the external integrity checker (ICT) to obtain a snapshot of the current state of your Ivanti appliance. This snapshot could be used to identify malicious files that may have been placed on a compromised Ivanti appliance.