UPDATE
The Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday issued a supplemental directive on the high-severity flaws discovered over the past several weeks in Ivanti Connect Secure and Policy Secure VPN products, calling for federal civilian executive branch (FCEB) agencies to disconnect all affected devices by early Saturday morning.
CISA’s directive was on the heels of Ivanti releasing a Jan. 31 notice to its customers in which it released patches for all known vulnerabilities, including fixes for CVE-2024-21893 — a new zero-day flaw exploited in the wild — and CVE-2024-21888, a bug the company said has not impacted any customers. Ivanti released the patches after receiving criticism for a slow rollout, but did so only for some versions. The rest of the patches will be released on a staggered schedule over the next several weeks.
Security pros said the supplemental directive issued by CISA was mainly in response to threat actors targeting earlier discovered zero-days in Ivanti VPN appliances exploiting CVE-2023-46805, an authentication bypass, and CVE-2024-21887, a command injection security flaw.
“CISA issues emergency directives in situations where there’s a clear and present danger to U.S. federal agencies and national security, explained Callie Guenther, senior manager, cyber threat research at Critical Start. “The decision to issue such a directive for Ivanti Connect Secure and Ivanti Policy Secure VPN products was driven by the widespread and active exploitation by multiple threat actors of critical vulnerabilities, CVE-2023-46805 and CVE-2024-21887.”
Guenther said these vulnerabilities let attackers perform actions such as lateral movement across networks, data exfiltration, and establishing persistent system access, posing significant risks to federal civilian enterprises. Non-federal agencies and private-sector organizations are urged by CISA to adopt the actions outlined in the directive because of the potential impact of these vulnerabilities beyond the federal government, added Guenther.
“Although the directive is specifically binding on federal civilian executive branch agencies, the underlying security concerns are relevant to all organizations using Ivanti products,” said Guenther.
Along with the moves by CISA and Ivanti, SC Media reported yesterday that since initially writing about the the most pressing Ivanti vulnerabilities on Jan. 12, Mandiant identified broad exploitation activity both by the original threat actor — UNC5221 — as well as various other uncategorized threat groups. And, in a blog post Jan. 31, Mandiant said it now classifies UNC5221 as a suspected China-nexus espionage threat actor.
In its supplement directive, CISA said civilian federal agencies are required to take the following actions:
- As soon as possible, and no later than 11:59 p.m. Friday February 2, 2024, FCEB agencies must disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure VPN products from federal agency networks.
- Continue threat hunting on any systems connected to — or recently connected to — the affected Ivanti devices.
- Monitor the authentication or identity management services that could be exposed.
- Isolate the systems from any enterprise resources to the greatest degree possible.
- Continue auditing privilege level access accounts.
To bring one of the affected Ivanti VPN products back into service, the supplemental directive said agencies are required to export the configuration settings, complete a factory reset per Ivanti’s instructions, and rebuild the device per Ivanti’s instructions and upgrade to one of the supported software versions through Ivanti’s download portal.
This story was updated at 10:10 a.m. Eastern on Feb. 2 to clarify information about Ivanti's patch schedule.
