Flash Alert - Vulnerabilities reported in Ivanti ICS, Ivanti Policy Secure and Citrix NetScaler

Hello there,

In the past week, the following vulnerabilities have been disclosed, affecting:

• Ivanti ICS
• Ivanti Policy Secure
• Citrix NetScaler ADC
• Citrix NetScaler Gateway

Ivanti ICS & Ivanti Policy Secure

CVE-2023-46805

CVSS: 8.2 HIGH

CVE-2024-21887

CVSS: 9.1 CRITICAL

Ivanti has disclosed the existence of two significant vulnerabilities affecting their Connect Secure and Policy Secure gateways, specifically versions 9.x and 22.x.

CVE-2023-46805 is an authentication bypass vulnerability, which allows a threat actor to remotely access restricted resources by bypassing control checks.? CVE-2024-21887 is a command injection vulnerability, granting an authenticated user the ability to send specially crafted requests and execute arbitrary commands on the vulnerable device.

When utilised together, a threat actor can compromise a vulnerable device and execute code with admin rights, leaving the victim company open to a significant risk of network intrusion and further criminal activity.

Palo Alto’s Unit 42 has observed over 30,000 vulnerable devices spread across 141 countries. It is actively responding to incidents involving these vulnerabilities, highlighting their use by threat actors in the wild.

Ivanti is currently working on patches to fix these vulnerabilities.? In the meantime, it is recommended that the mitigations they have suggested are implemented to avoid unnecessary risk.? These can be found here.

Citrix NetScaler ADC & Citrix NetScaler Gateway

CVE-2023-6548

CVSS: 5.5 MEDIUM

CVE-2023-6549

CVSS: 8.2 HIGH

Citrix has identified and disclosed further vulnerabilities in its NetScaler ADC and NetScaler Gateway products.? The following supported versions are affected:

• NetScaler ADC and NetScaler Gateway?14.1?before?14.1-12.35
• NetScaler ADC and NetScaler Gateway?13.1?before?13.1-51.15
• NetScaler ADC and NetScaler Gateway?13.0?before 13.0-92.21
• NetScaler ADC 13.1-FIPS before 13.1-37.176
• NetScaler ADC 12.1-FIPS before 12.1-55.302*
• NetScaler ADC 12.1-NDcPP before 12.1-55.302*

*NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable

CVE-2023-6548 allows a threat actor authenticated, low-privileged access to remotely execute code on the management interface of a compromised device.? This requires them to have access to the NSIP, CLIP or SNIP which itself has management interface access.

CVE-2023-6549 applies to appliances configured as one of the following:

• VPN virtual servers
• ICA proxies
• CVPNs
• RDP proxies
• AAA virtual servers

Exploitation of this vulnerability involves a threat actor restricting operations within the memory buffer, thereby causing an unauthenticated Denial of Service attack.

A patch will follow in due course, but in the meantime, Citrix recommends the following:

• Ensure network traffic to the appliance’s management interface is separated, either physically or logically, from normal network traffic
• Ensure the management interface is not exposed to the internet
• Ensure all previous patches are installed and the software is up-to-date

Citrix has noted that these vulnerabilities have been observed in the wild and targeted by threat actors.

Stay safe,

Daniel Collyer

Threat Intelligence Analyst

SOS Intelligence Limited

City Point One Ropemaker Street London EC2Y 9AW