Ivanti’s saga continues as the vendor released a patch Feb. 8 for yet another vulnerability it found while investigating recent bugs affecting Ivanti Connect Secure VPN, Policy Secure and ZTA gateways.
Ivanti said it has no evidence that this new vulnerability (CVSS 8.3) has been exploited in the wild because it was found during the vendor’s internal review and testing of its code.
However, they said it’s critical that security teams apply the patch so they are fully protected. Customers that applied the patch released on Jan. 31 or Feb. 1 and completed a factory reset of their appliance do not need to factory reset their appliances again.
This recent news continues Ivanti’s month-long bug issues with four other vulnerabilities targeting its network appliances, three of which were exploited in the wild.
Threat actors relentless in exploiting vulnerabilities
Since initially writing about Ivanti vulnerabilities on Jan. 12, cybersecurity firm Mandiant identified broad exploitation activity by the original threat actor — UNC5221 — as well as various other uncategorized threat groups, SC Media reported Feb. 1. In a blog post Jan. 31, Mandiant said it classifies UNC5221 as a suspected China-nexus espionage threat actor.
The issues were considered serious enough that the Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to disconnect all affected devices from their networks.
John Gallagher, vice president of Viakoo Labs, said Ivanti’s recovery will need to address both the technical aspects of the attacks, as well as the trust/reputational damage. Gallagher said on both fronts Ivanti has stumbled badly.
“If their patch was initially successful and stopped further exploitation, it is unlikely that CISA would have taken the action of ordering federal agencies to disconnect all affected devices and causing Ivanti massive reputational damage,” explained Gallagher.
Most cybersecurity organizations face similar risks as Ivanti's, Gallagher continued — if initial patches make the attacks worse and result in higher attack volume, then customers will quickly start to look for alternatives.
Customers are ultimately looking for what will offer the lowest risk to their organization.
“This isn’t really about Ivanti,” said Gallagher. “It’s about the nature of threat actors to be relentless in achieving their goals."
For Gallagher, the takeaway from Ivanti's troubles is that patching needs to be faster and testing needs to be more extensive, especially once it's clear a threat actor is targeting a specific device.
On the other hand, Richard Aviles, seniors solution engineer at DoControl, said it makes sense that identity platforms are under intense scrutiny since identity is the underpinning of any zero-trust architecture.
While the number and impact of the recent CVEs from Ivanti would lead us to assume there "must be a fire with all this smoke present," Aviles said there are two mitigating points to consider.
“First, Ivanti found this most recent CVE themselves while doing their own reviews and testing of their code,” said Aviles. “This means they are taking these issues seriously and working to address them. Second, their disclosure was timely, precise, and clear. Since this was an internal find, they could have chosen not to disclose at all. The fact that they disclosed this vulnerability should earn Ivanti some benefit of the doubt.”
Ivanti noted in its advisory that the patch for the most recent bug is now available for Ivanti Connect Secure (versions 9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3 and 22.6R2.2); Ivanti Policy Secure (versions 9.1R17.3, 9.1R18.4 and 22.5R1.2); and ZTA gateways (versions 22.5R1.6, 22.6R1.5 and 22.6R1.7).