Ivanti has reported two critical vulnerabilities affecting Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) gateways, prompting active exploitation. The National Cyber Security Centre (NCSC) advises immediate action to mitigate these vulnerabilities (CVE-2023-46805 and CVE-2024-21887) and recommends following Ivanti’s latest guidance.
Vulnerability Details:
- CVE-2023-46085: Authentication Bypass
- Affected Versions: ICS (9.x, 22.x) and IPS
- Description: Allows a remote attacker to bypass control checks in the web component, gaining unauthorized access to restricted resources.
- CVE-2024-21887: Command Injection
- Affected Versions: ICS (9.x, 22.x) and IPS
- Description: Permits an authenticated administrator to execute arbitrary commands on the appliance by sending specially crafted requests.
Exploitation Scenario: When CVE-2024-21887 is coupled with CVE-2023-46805:
- Authentication: Not required
- Impact: Enables threat actors to craft malicious requests and execute arbitrary commands without authentication.
Actions for Affected Organizations:
- Run Ivanti’s external Integrity Checker Tool (ICT). Reference KB44755 – Pulse Connect Secure (PCS) Integrity Assurance for guidance.
- Check for compromise using detection steps and IoCs outlined in Ivanti’s KB article and the Volexity blog.
- If compromised and in the UK, report to the NCSC.
- Install the vendor’s temporary workaround.
- Monitor the Ivanti KB article and apply the security update once available for your version.
https://www.ncsc.gov.uk/news/exploitation-ivanti-vulnerabilities