Ivanti Connect Secure and Policy Secure are vulnerable to high-severity flaws (CVE-2024-21888 & CVE-2024-21893) that may lead to privilege escalation and arbitrary code execution on vulnerable systems. One of the flaws tracked as CVE-2024-21893 is being exploited in the wild. Ivanti mentioned in the advisory that they are aware of a few customers who have been impacted by the flaw.
CVE-2024-21888 is a privilege escalation vulnerability in the web component of Ivanti Connect Secure and Ivanti Policy Secure. Successful exploitation of the vulnerability may allow an attacker to elevate privileges to an administrator.
CVE-2024-21893 is a server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA. An attacker may exploit the vulnerability to access specific restricted resources without authentication.
CISA added the CVE-2024-21893 to its Known Exploited Vulnerabilities Catalog and recommended that users patch the flaw before February 2, 2024.
Ivanti Connect Secure is a VPN solution that provides secure and controlled access to corporate data and applications for employees, partners, and customers. It allows remote and mobile users to access corporate resources from any web-enabled device.
Ivanti Policy Secure (IPS) is a network access control (NAC) solution providing access to authorized and secured users and devices. It’s a central policy management server that validates the user’s identity and determines the endpoint’s security compliance.
Affected Versions
The vulnerability affects Ivanti Connect Secure and Policy Secure versions 9.x and 22.x.
Mitigation
The patch is available via the standard download portal for Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, and 22.5R1.1) and ZTA version 22.6R1.3. Ivanti states, “The remaining supported versions will be patched in a staggered schedule.”
For more information, please refer to Ivanti Security Advisory (000090322).
Qualys Detection
Qualys customers can scan their devices with QID 731126 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US
https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US