Ivanti has disclosed that as part of their ongoing investigation into previous Ivanti Connect Secure vulnerabilities, they discovered two new vulnerabilities.
The Cybersecurity and Infrastructure Security Agency (CISA) has already added one of these vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, demanding Federal Civilian Executive Branch (FCEB) agencies to remediate it by the near deadline of February 2, 2024.
Details of the Newest Ivanti Vulnerabilities (CVE-2024-21888 and CVE-2024-21893)
The vulnerabilities with high severity ratings are identified as CVE-2024-21888 and CVE-2024-21893. Both vulnerabilities affect all supported versions, 9.x and 22.x. See their details below:
CVE-2024-21888 (CVSS score: 8.8): A Privilege Escalation vulnerability in the web component of Ivanti Connect Secure and Ivanti Policy Secure. It could enable a user to gain administrative privileges.
Vulnerability intel card for CVE-2024-21888 (SOCRadar Vulnerability Intelligence)
CVE-2024-21893 (CVSS score: 8.2): A Server-Side Request Forgery (SSRF) vulnerability in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA. It could enable an attacker to gain access to some restricted resources without authentication.
Vulnerability intel card for CVE-2024-21893 (SOCRadar Vulnerability Intelligence)
You can easily access vulnerability information and updates through SOCRadar. The platform provides comprehensive Vulnerability Intelligence that includes the most recent updates on known vulnerabilities, such as available exploits, repositories, exploitability risks, and hacker trends.
SOCRadar Vulnerability Intelligence
Are Patches Available for the New Vulnerabilities?
Ivanti made the patches accessible via the standard download portal. Patches are currently available for the following versions:
Ivanti Connect Secure:
- 9.1R14.4
- 9.1R17.2
- 9.1R18.3
- 22.4R2.2
- 22.5R1.1
ZTA:
- 22.6R1.3
According to the company, the remaining supported versions will be patched on a staggered schedule, and a new mitigation is also available for download.
“CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893 can be mitigated by importing mitigation.release.20240126.5.xml file via the download portal.”
Refer to the official advisory for further details.
Exploitation of CVE-2024-21893: Ivanti Expects a Surge in Attacker Activity
At the time of the disclosure, Ivanti stated that there was no evidence of CVE-2024-21888 affecting customers, whereas CVE-2024-21893 did affect a limited number of customers.
Ivanti also stated that the exploitation of CVE-2024-21893 appears to be deliberate. Once the details of the vulnerability are made public, the company expects the exploitation attempts to increase. In the meantime, CISA has added CVE-2024-21893 to its KEV Catalog to warn agencies about exploitation and urge them to remediate it.
With SOCRadar’s Attack Surface Management module, you can monitor digital assets and identify vulnerabilities that are affecting your organization. Additionally, ASM’s Company Vulnerabilities page includes a CISA KEV Check feature that allows you to quickly identify KEV Catalog-listed vulnerabilities that affect your systems.
SOCRadar ASM/Company Vulnerabilities
CISA Alert and Patches for the Ivanti Connect Secure Zero-Day Vulnerabilities
In addition to the public disclosure of the new vulnerabilities, the company has released fixes for the zero-day vulnerabilities CVE-2023-46805 and CVE-2024-21887, which affect Connect Secure. The most recent updates on these vulnerabilities also include a CISA alert about threat actors developing workarounds for previous mitigations and their exploitation to deploy KrustyLoader malware.
The aforementioned CISA alert was most recently updated to include the new vulnerabilities, CVE-2024-21888 and CVE-2024-21893, and direct organizations to apply updates or mitigation for affected versions.
You can find more information about zero-day vulnerabilities in our other blog post: Attackers Exploit Ivanti Connect Secure Zero-Day Vulnerabilities to Deploy Webshells (CVE-2023-46805, CVE-2024-21887).
The post Vulnerability in Ivanti Connect Secure, Policy Secure, and Neurons for ZTA Exploited (CVE-2024-21888, CVE-2024-21893) appeared first on SOCRadar® Cyber Intelligence Inc..