Ivanti Addresses Critical Security Vulnerabilities in Connect Secure and Policy Secure Gateways
Ivanti has issued urgent security updates to rectify multiple vulnerabilities affecting its Connect Secure and Policy Secure Gateways. These flaws present significant risks, including potential code execution and denial-of-service (DoS) conditions, which could severely disrupt service delivery.
The most critical of the identified vulnerabilities is designated as CVE-2024-21894, receiving a CVSS score of 8.2. This heap overflow vulnerability within the IPSec component of both Connect Secure (versions 9.x and 22.x) and Policy Secure allows an unauthenticated attacker to craft specific requests. If exploited, this could lead to a service crash, resulting in a DoS scenario. Moreover, under certain circumstances, this could enable arbitrary code execution.
Another substantial threat has been classified as CVE-2024-22052 with a CVSS score of 7.5. This vulnerability, a null pointer dereference in the same IPSec component, similarly allows unauthorized users to trigger a service crash through specially crafted requests, culminating in a DoS attack.
Additionally, CVE-2024-22053 presents another heap overflow issue with a similar impact as the first, but with an added risk of potentially exposing sensitive memory contents to unauthorized individuals. This vulnerability also has a CVSS score of 8.2. Lastly, the vulnerability denoted as CVE-2024-22023 introduces an XML entity expansion risk in the SAML component, which permits unauthenticated attackers to exhaust resources temporarily, thus leading to a limited-duration DoS situation.
While Ivanti has navigated a stream of security concerns since the beginning of the year, it stated that it is unaware of any customers being exploited by these specific vulnerabilities at the time of disclosure. The company emphasizes its commitment to transparency and proactive security measures as it faces these challenges.
In late March, Ivanti also released patches for a critical flaw in its Standalone Sentry product (CVE-2023-41724, CVSS score: 9.6). This vulnerability allowed unauthenticated threat actors to execute arbitrary commands on the underlying operating system. Alongside this, another critical vulnerability impacting its on-premises Neurons for ITSM (CVE-2023-46808, CVSS score: 9.9) was also addressed, which posed risks of arbitrary file writes by authenticated remote attackers.
In an open letter dated April 3, 2023, Ivanti’s CEO Jeff Abbott acknowledged the challenges facing the company and stated their intent to reassess security protocols in light of the evolving threat landscape. Abbott characterized the recent events as “humbling” and outlined a significant shift in the company’s security operating model. This includes adopting secure-by-design principles, improving information transparency with customers, and overhauling engineering, security, and vulnerability management practices.
Abbott also discussed enhancing their internal scanning and testing capabilities while engaging third-party experts to bolster their research efforts. Moreover, the company plans to implement a revised bug bounty program that provides increased incentives for responsibly disclosing vulnerabilities.
As these vulnerabilities underscore ongoing cybersecurity challenges, they also illustrate the critical need for businesses to remain vigilant and proactive in their cybersecurity posture. This incident highlights adversary tactics such as initial access and exploitation, as defined in the MITRE ATT&CK framework, emphasizing the imperative for rigorous security best practices.
