Site icon

What Are the Ivanti Vulnerabilities, and How Do They Impact You?

An emergency vulnerability has emerged in Ivanti products and appliances, and it has sent many service providers, especially those in the federal space, in a rush to close their gaps and respond as best they can.

This article covers the incident, the government’s response, and what it means for service providers.

 

The latest findings of the last two weeks highlight some vulnerabilities associated with Ivanti products that capture most of the attention of cybersecurity entities such as the Cybersecurity and Infrastructure Security Agency (CISA).

An XML external entity injection (XXE) vulnerability (CVE-2024-22024) has been found,  affecting supported versions of Ivanti Connect Secure, ZTA, and Policy Secure products. Ivanti issued software updates on February 8, 2024, mitigating this and many other reported vulnerabilities:

In addition, the company reports active exploitation of Ivanti Connect Secure and Ivanti Policy Secure appliances, broad usage, and against the international environment for businesses of small to large size, including Fortune 500 companies. The vulnerabilities have compromised about 1,700 devices, while about 7,000 are still vulnerable. In mitigation, Ivanti has provided workarounds and advised the user to monitor network traffic for malicious activity while waiting for patching.

Given these critical vulnerabilities and their widespread exploitation, CISA has issued Emergency Directive 24-01, requiring all federal civilian agencies to implement specific actions immediately and vendor-provided mitigation guidance to address the vulnerabilities in these Ivanti appliances. This directive further points out the high risks these vulnerabilities pose to federal government systems and, by extension, those systems of all entities that use the mentioned products. This directive from CISA underscores the urgency for adopting mitigation measures to protect against potential compromise.

According to Ivanti, individuals and organizations using its products should comply with the recommendations put forward by Ivanti and CISA, apply the relevant patches and updates, and watch out for compromise.

 

What Is CISA Emergency Directive 24-01?

Emergency Directive 24-01 addresses the urgent need to mitigate vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure appliances due to widespread and active exploitation by malicious cyber threat actors. This directive is primarily aimed at Federal Civilian Executive Branch (FCEB) agencies, but CISA strongly encourages all organizations using these Ivanti products to implement the recommended mitigations.

The directive was issued in response to two specific vulnerabilities, CVE-2023-46805 and CVE-2024-21887, which allow attackers to move laterally across networks, perform data exfiltration, and establish persistent system access–essentially, to behave as Advanced Persistent Threats (APTs). Given the significant risks posed by these vulnerabilities to the security of federal systems and the broader community, the directive mandates immediate, specific actions and the implementation of vendor-provided mitigation guidance for these Ivanti appliances.

As part of the directive, federal agencies must disconnect affected Ivanti products from their networks and follow a series of steps to bring them back into service securely. These steps include: 

Additionally, agencies must revoke and reissue any connected or exposed certificates, keys, and passwords.

CISA’s actions in response to the directive include providing templates for reporting agency actions, continuing efforts to identify instances and potential compromises, offering technical assistance to agencies, and providing a comprehensive report on the cross-agency status of the directive’s implementation. 

CISA also updated its guidance to include new vulnerabilities and software updates provided by Ivanti, highlighting the need for continuous vigilance and implementing software updates and mitigations as they become available. This provides guidance for dealing with a newly disclosed XXE vulnerability (CVE-2024-22024).

 

How Does This Impact Cloud Providers Under FedRAMP?

Cloud Service Providers must review and implement actions described in Emergency Directive 24-01 if they maintain federal information, ensuring compliance with FedRAMP requirements. Actions include uploading responses to a FedRAMP reporting template in the incident response folder of their FedRAMP secure repository by specified deadlines. Upon action completion, CSPs must notify agency customer Authorizing Officials and the FedRAMP PMO. This ensures CSPs align with FedRAMP and CISA directives to mitigate vulnerabilities effectively.

 

What Are XML External Entity Attacks?

XML External Entity (XXE) injection is a type of attack against applications that parse XML input. This attack occurs when an XML parser processes input containing a reference to an external entity (a document outside the current page’s scope). If an application is vulnerable to XXE attacks, attackers can exploit this by including malicious content in the XML data, attempting to trick the parser into executing unintended operations. These operations can involve accessing local or remote content, interacting with other systems in a way that can compromise security, or even execute arbitrary code depending on the application’s configuration and the environment.

The core of an XXE attack is the XML feature that allows an XML document to define entities, which are shortcuts to larger content blocks. These entities can be defined within the document or as references to external sources. In a typical XXE attack, an attacker would define or manipulate these entities in a way that causes the XML parser to access unauthorized resources.

XXE vulnerabilities can lead to various impacts, such as:

Mitigating XXE attacks typically involve:

Developers and security teams should be aware of XXE vulnerabilities, especially when working with applications that accept XML input, to protect against potential data breaches and system compromises.

 

Respond Quickly to the Latest Vulnerabilities with Lazarus Alliance

If you are a CSP or other provider handling the fallout of the Ivanti security vulnerability, particularly in the federal space, then Lazarus Alliance can help with extensive services including:

[wpforms id=”137574″]

Exit mobile version