The Ivanti VPN has recently come under scrutiny due to critical security vulnerabilities. Chinese hackers are actively exploiting these flaws, posing a significant risk to organizations and individuals.

Technical Details

Here are the key details about the vulnerabilities:

1.CVE-2023-46805: Ivanti Connect Secure Gateway Vulnerability

• • Description:
    • This zero-day vulnerability affects the Ivanti Connect Secure gateway.
    • It allows unauthorized attackers to exploit the gateway, potentially gaining access to sensitive data or compromising the integrity of the VPN connection.
  • Impact:
    • Successful exploitation could lead to unauthorized access to the VPN infrastructure.
    • Attackers may intercept or manipulate VPN traffic, compromising confidentiality and integrity.
  • Affected Product:
    • Ivanti Connect Secure gateway (specific versions susceptible to this vulnerability need to be verified).
  • Detection and Indicators of Compromise (IoCs):
    • Organizations should monitor network logs for any unusual or unexpected behavior related to the Connect Secure gateway.

2. CVE-2024-21887: Ivanti Policy Secure Gateway Vulnerability

1. • Description:
     • This zero-day vulnerability impacts the Ivanti Policy Secure gateway.
     • It allows threat actors to exploit the gateway, potentially compromising its security controls.
   • Impact:
     • Successful exploitation could lead to unauthorized access to the Policy Secure gateway.
     • Attackers may manipulate policies, bypass security controls, or gain unauthorized privileges.
   • Affected Product:
     • Ivanti Policy Secure gateway (specific versions susceptible to this vulnerability need to be verified).

1. • Detection and Indicators of Compromise (IoCs):
     • Organizations should closely monitor logs related to the Policy Secure gateway.

 

Immediate Action Required

If you’re an Ivanti VPN user, take the following steps immediately:

1. Stay Informed:
   • Keep an eye on Ivanti’s security advisories for updates.
2. External Integrity Checker:
   • Use Ivanti’s new tool to verify the integrity of your installation.
3. Refer to Mandiant’s Hardening Guide:
   • Implement additional security measures based on Mandiant’s recommendations.

Second Threat Actor?

• There’s evidence of another threat actor, tracked as UNC3886, also exploiting these vulnerabilities.
• Some reports suggest that UNC5325 and UNC3886 may be the same entity.

Background

• In early January 2024, Ivanti patched a critical remote code execution (RCE) vulnerability.
• Further investigations revealed additional vulnerabilities, leading to widespread exploitation.
• The use of the unsupported CentOS 6.4 operating system by Ivanti contributed to the severity of the situation.

US Government’s Warning

• In February, the US government advised agencies using Ivanti solutions to disconnect them immediately.
• Remember that applying patches is effective only if done before any incursions.
• If a threat actor established persistence on an endpoint earlier, applying the fix won’t help.

For references:

1. Chinese Hackers Exploiting Ivanti VPN Flaws to Deploy New Malware (thehackernews.com)
2. KB CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways
3. Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways | CISA