This alert is relevant to Australians who are running or administering instances of Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS). These vulnerabilities impact all supported versions – Version 9.x and 22.x. This alert is intended to be understood by technical users.
Customers are encouraged to apply any available mitigations and patches as soon as possible.
ASD’s ACSC is aware of reports that threat actors have developed workarounds to the current mitigation and detection methods, leading to reported ongoing exploitation activity.
ASD’s ACSC strongly advises organisations operating vulnerable Ivanti Connect Secure and Ivanti Policy Secure products to conduct investigation and monitoring for potential compromise of systems. ASD’s ACSC recommends organisations monitor authentication, account usage and identity management services, and consider isolating systems from any enterprise resources as much as possible.
Ivanti has updated their mitigation advice warning Administrators to not push new device configurations to appliances after applying mitigations.
- Ivanti advises customers not to push other configurations to appliances with the mitigation XML in place, until Ivanti releases a complete patch and it is applied.
- When an alternative configuration is pushed to the appliance, it may prevent the mitigation from functioning.
- This applies to customers who push configurations to appliances, including configuration pushes through Pulse One or nSA.
- This can occur regardless of a full or partial configuration push.
Background / What has happened?
- Ivanti has released security advisories and mitigations for 2 critical vulnerabilities in the Ivanti Connect Secure and Ivanti Policy Secure gateways.
- CVE-2023-46805 is an authentication bypass vulnerability in the web component of ICS (9.x, 22.x) and IPS and allows a remote attacker to access restricted resources by bypassing control checks.
- CVE-2024-21887 is a command injection vulnerability in web components of ICS (9.x, 22.x) and IPS and allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
- Ivanti is aware of active exploitation of these vulnerabilities.
Affected versions / applications:
- CVE-2023-46805: This vulnerability impacts all supported versions ICS (9.x, 22.x) and IPS
- CVE-2024-21887: This vulnerability impacts all supported versions ICS (9.x, 22.x) and IPS
Mitigation / How do I stay secure?
Organisations that use Ivanti Connect Secure and/or Ivanti Policy Secure should follow the mitigations advice provided in the Ivanti Security Advisory below:
- CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways
Assistance / Where can I go for help?
Organisations or individuals that have been impacted or require assistance can contact us via 1300 CYBER1 (1300 292 371).