2024-01-10
Critical Ivanti Zero-days are Being Actively Exploited
A pair of vulnerabilities in Ivanti Connect Secure and Policy Secure are being actively exploited. There are currently no fixes available for the authentication bypass and command injection vulnerabilities. Ivanti expects to have fixes for the vulnerabilities available by January 22 and February 19, respectively. Users are advised to take steps to mitigate the issues until patches are available.
Editor's Note
Ivanti users should consult the excellent write up by Volexity for details. Connect Secure used to be known as Pulse Secure before being acquired by Ivanti in 2020. The product has a rich vulnerability history and has frequently been used to breach corporate networks. Connect Secure has likely become expensive to maintain for Ivanti with its legacy Perl codebase and complex software architecture typical for a legacy product. This will make it difficult for Ivanti to invest into proactively identifying security vulnerabilities, relying on non cooperating third parties to assist in identifying product flaws.

Johannes Ullrich
I had to look this up to make sure because Ivanti has been on an acquisition spree. This is affecting the old Juniper SSL VPN Customers. There is still a pretty sizable set of companies running this tech.

Moses Frost
Ivanti has both published a mitigation you can download and install and provided IOCs you can incorporate into your threat hunting. They are providing guidance for upgrading to newer releases which have more expedited patch release cycles. The patch will be released the weeks of the 22nd of January to the 19th of February, depending on the product version you’re running.

Lee Neely
Given the ease with which the pair of vulnerabilities can be exploited, download and apply the mitigation procedures that Ivanti provides with great haste. You can expect that evildoers are now circling and targeting the VPN appliance.

Curtis Dukes
Read more in
Volexity: Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN
Ars Technica: Actively exploited 0-days in Ivanti VPN are letting hackers backdoor networks
Bleeping Computer: Ivanti warns of Connect Secure zero-days exploited in attacks
Infosecurity Magazine: Two Ivanti Zero-Days Actively Exploited in the Wild
Dark Reading: Ivanti Researchers Report Two Critical Zero-Day Vulnerabilities