Ivanti is struggling to hit its own promised timeline for the delivery of patches for critical - and already exploited - vulnerabilities in Internet-facing Ivanti Connect Secure VPN appliances.
The Utah IT software firm originally said it would start shipping patches on a staggered schedule beginning on January 22 but it appears testing and quality issues have led to delays.
The embattled company said patches for supported versions will still be released on a staggered schedule and cautioned that the timing of patch release is still subject to change.
The patch delays come almost three weeks after researchers at Volexity caught a Chinese government-backed hacking team exploiting two Ivanti zero-day vulnerabilities to break into US organizations.
The absence of official fixes is sure to complicate strict deadlines set by the US government's cybersecurity agency CISA for Federal Civilian Executive Branch agencies to apply available fixes, hunt for infections and share indicators of compromise.
The CISA emergency directive had set a January 22 date for federal agencies to start deploying fixes.
The agency has also called for the removal of compromised products from networks and instructions for infected organizations to file a report with CISA with an inventory of infected devices and details on actions taken.
In a research report released early January, Volexity tagged the flaws as CVE-2023-46805 and CVE-2024-21887 and warned that they were being exploited against Internet-facing Ivanti VPN appliances.
The Volexity researchers said they caught the attackers modifying legitimate ICS components and making changes to the system to evade Ivanti's Integrity Checker Tool; and backdooring a legitimate CGI file on the ICS VPN appliance to allow command execution.
Ivanti, a company that has struggled with major security problems, has released pre-patch mitigations and instructions to minimize attack surfaces.
This Cyber News was published on www.securityweek.com. Publication date: Mon, 29 Jan 2024 20:43:03 +0000