Ivanti Wednesday released patches for two critical zero-day vulnerabilities that were disclosed earlier this month, but also warned customers of two new flaws, including a new zero-day that's under exploitation in the wild.
In a security advisory on Jan. 10, Ivanti detailed two zero-day remote code execution vulnerabilities tracked as CVE-2023-46805 and CVE-2024-21887 that affected Ivanti Policy Secure and Ivanti Connect Secure.
One week later, Volexity, which Ivanti credited with discovery, confirmed that 1,700 devices worldwide had been compromised since early December.
While Ivanti announced the first round of fixes for CVE-2023-46805 and CVE-2024-21887 Wednesday, the software vendor also disclosed two new bugs in ICS and IPS. One is a privilege escalation vulnerability tracked as CVE-2024-21888, and the other is a server-side request forgery flaw assigned CVE-2024-21893.
Ivanti warned that the latter is a zero-day vulnerability that could allow an unauthenticated attacker to access certain restricted resources and is under active exploitation.
Wednesday's patch release included a fix for all four vulnerabilities for ICS versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1, and ZTA version 22.6R1.3; however, it is a multistep process.
Ivanti directed users to a knowledge base article and warned that the process will take three to four hours to complete.
In addition to a complicated patching process, Ivanti had pushed back the release date of the patch for the previous zero-day vulnerabilities, which was originally scheduled for the week of Jan. 22.
As part of our ongoing investigation, we discovered two additional vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure.
We included a fix for these vulnerabilities and previously identified vulnerabilities in the patch released today, and patches planned for release for additional versions will also include a comprehensive fix.
The patches released on January 31 cover the majority of our customers.
We also provided a new mitigation in the best interest of our customers while the remaining patch versions are in development.
We strongly encourage customers to apply the patch for their version as it becomes available.
While additional patch versions are in development, they should apply the mitigation and run the internal and external ICT. On Tuesday, CISA published an alert urging Ivanti customers to apply patches and mitigations as soon as they become available because of ongoing exploitation.
The alert warned that threat actors are leveraging the vulnerabilities to gather credentials and deploy web shells that enable additional compromise in victim networks.
The ICT helps detect threat activity, and Ivanti added a new functionality that it urged users to run.
The ED also confirmed that CISA observed widespread exploitation of the Ivanti flaws.
The researchers warned that Pulse Connect Secure has been a popular target for ransomware groups and other nation-state threat actors.
They listed eight vulnerabilities that were exploited against the VPN products over the past five years.
In 2021, Chinese hackers exploited an authentication bypass vulnerability in Ivanti against government targets.
This Cyber News was published on www.techtarget.com. Publication date: Wed, 31 Jan 2024 22:13:04 +0000