Multiple Ivanti Critical Vulnerabilities; The Stuff of Nightmares

As part of its InTandem suite of Infrastructure Management Services, SecureOps reacted quickly to the recent Ivanti's critical vulnerabilities by providing immediate expertise and surge patching capacity when needed most by its customers.

The stuff of nightmares

Ivanti recently disclosed new vulnerabilities in its Connect Secure and Policy Secure VPN products, including a zero-day flaw under active exploitation. The company released patches for two critical zero-day vulnerabilities, CVE-2023-46805 and CVE-2024-21887, while also announcing two additional vulnerabilities, a privilege escalation vulnerability (CVE-2024-21888) and a server-side request forgery flaw (CVE-2024-21893). Ivanti's advisory highlights the complexity of the patching process, suggesting a factory reset of appliances before applying the patch, which is expected to take three to four hours to complete. This has raised concerns due to the delay in the patch release, initially scheduled for the week of January 22 but postponed due to testing and quality issues. The staggered release schedule for patches has compounded the difficulty for organizations, especially given the urgency underscored by advanced adversaries' active exploitation of these vulnerabilities.

The patching challenges are exacerbated by the requirements set by CISA, which issued an emergency directive urging federal agencies to mitigate the vulnerabilities and disconnect all affected Ivanti devices if necessary. This directive reflects the high risk of these vulnerabilities, allowing threat actors to execute arbitrary commands on affected products, potentially leading to full system compromise. CISA's alert also highlighted the sophistication of threat actors in developing workarounds to current mitigations and detection methods, further emphasizing the critical nature of applying patches and mitigations promptly.

The situation vividly illustrates the complexities involved in responding to cyber vulnerabilities, especially when they are actively exploited. Organizations are urged to apply patches as soon as they become available and adhere to best cybersecurity hygiene practices to protect against potential exploits .

The worst kind of patch process

The recent Ivanti patches aimed to address critical vulnerabilities in their Connect Secure and Policy Secure VPN products but encountered several challenges, contributing to the difficulties surrounding the patching process:

• Delayed Patch Releases: Ivanti experienced delays in the rollout of their patches, missing the initial timeline they had set for the release (January 22nd). The delay in patch availability heightened the risk for organizations relying on Ivanti's solutions, as the vulnerabilities were already being actively exploited.
• Complex Patching Process: The patching process recommended by Ivanti was notably complex and time-consuming. The company advised customers to perform a factory reset of their devices before applying the patch as a precautionary measure to prevent attackers from maintaining persistent access. This process was expected to take three to four hours, adding to the operational challenges organizations face attempting to secure their systems promptly . This process, of course, has major impacts on connected users and partners.
• Unclear Patch Documentation: The documentation provided by Ivanti was insufficient, error-prone, and required specialized knowledge to implement. Most organizations will need to develop an internal SOP in order to allow technicians to patch the product.?
• Additional Vulnerabilities Discovered: While releasing the patches for known vulnerabilities, Ivanti disclosed two new high-severity vulnerabilities, one under active exploitation. This discovery not only expanded the scope of the security risks but also added to the urgency and complexity of the patching efforts required by administrators. The staggered release schedule for patches further complicated the situation, as not all versions received fixes simultaneously.
• Mitigation Bypass by Sophisticated Attackers: The United States Cybersecurity and Infrastructure Security Agency (CISA) noted that some sophisticated attackers had developed workarounds to bypass Ivanti's mitigations and detection methods. This included exploiting weaknesses to move laterally and escalate privileges without detection and subverting the external integrity checker tool (ICT), which was intended to help detect threat activity .

These factors combined to create a challenging environment for organizations trying to address the vulnerabilities in their Ivanti VPN products.

SecureOps to the Rescue

As part of its InTandem suite of Infrastructure Management Services, SecureOps performed the following tasks for supported clients:?

1. Rapid implementation of mitigation steps
2. Immediate lab testing for patching instructions
3. Incident Handling Assistance to help identify suspect connections out of the VPN infrastructure
4. Custom Documentation/SOP for each customer in order to allow for accelerated patch deployment
5. Patch Deployment and Planning of Global & Regional gateways
6. Minimize user and business impact by leveraging regional load-balancing capabilities and high-availability infrastructure
7. Capacity Management in case all appliances in the Ivanti pool could not be patched promptly.

SecureOps customers can rest easy knowing we have their backs for any security incident. SecureOps helps your organization react faster to critical vulnerabilities by providing immediate expertise and surge patching capacity when needed most.

SecureOps is the cybersecurity partner that works InTandem with your team.