Image source: Shutterstock
Following its disclosure of two new zero-days Jan 31, Ivanti too has updated its mitigation file. Customers who applied previous mitigation would need re-apply it to address new flaws.
Google’s Mandiant security group has released updated guidance for Ivanti customers looking to remediate or harden their Ivanti Connect Secure (formerly Pulse Secure) and Ivanti Policy Secure gateways after the vendor disclosed two new actively exploited vulnerabilities in the technology on Jan 31.
Two New Zero Days
One of the vulnerabilities, identified as CVE-2024-21888 is a privilege escalation flaw with a CVSS score of 8.8. The other— CVE-2024-21893—is a server side forgery issue in the SAML component of the affected software. The vulnerabilities give unauthenticated attackers a way to bypass authentication mechanisms and execute arbitrary code on an affected Ivanti appliance. Mandiant said it has identified zero-day exploitation of the flaws going back to at least Dec. 2023.
Ivanti’s disclosure of the two new flaws comes just three weeks after the company revealed two other zero-days in Ivanti Connect Secure and Ivanti Policy Secure on Jan 10. One of them (CVE-2023-46805) is an authentication bypass flaw and the other, identified as CVE-2024-21887, is a command injection vulnerability.
Multiple threat groups, including Chinese state-sponsored group UNC5221 have attacked the flaws ferociously over the past few weeks to drop backdoors, web shells, credential stealers and other malware on vulnerable systems.
Quick Take
- The two new vulnerabilities that Ivanti disclosed on Jan 31: CVE-2024-21888 (privilege escalation) and CVE-2024-21893 (server side request forgery)
- Mandiant’s updated guidance: https://services.google.com/fh/files/misc/ivanti-connect-secure-remediation-hardening.pdf
- Ivanti’s updated mitigation file (mitigation.release.20240126.5.xml): https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
- List of malware and associated IoCs that China-linked threat group UNC5211 has been dropping on vulnerable Ivanti Connect Secure and Policy Secure gateways: https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation
- Mandiant’s report on Ivanti exploit activity: https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation
- Volexity’s Jan 18 report on exploit activity: https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploitation-new-observations/
Custom Malware
Mandiant and others have reported observing UNC5221 exploiting the vulnerabilities to install a range of custom malware on vulnerable Ivanti Connect Secure and Policy Secure gateways. The list includes a passive backdoor called ZIPLINE; two web shells dubbed LIGHTWIRE and WIREFIRE; a dropper named THINSPOOL; and a credential stealer called WARPWIRE. Volexity, which tracks UNC5221 as UTA0178 earlier this month said it had observed at least 2,100 Ivanti appliances that the threat actor has already backdoored.
Ivanti has readied patches for all four vulnerabilities and has said it will be rolling them out in batches in the coming weeks.
Following Ivanti’s disclosure of the two new zero-days on Jan 31, both Mandiant and Ivanti updated their guidance around the vulnerabilities.
Mandiant’s Guidance
Here’s a quick gist of Mandiant’s recommendations for containment, remediation and hardening. Here’s a link to Mandiant’s full guidance document.
Mandiant’s Guidance for Containment and Investigation
Isolate impacted appliances and run Ivanti’s external integrity checker tool on them to check for signs of compromise.
Provide Ivanti support with the output from the ICT and get the vendor’s support in capturing a forensic/memory image from systems that are impacted.
Review the images for signs of additional compromise. Review VPN logs and enable Unauthenticated Request logging to capture attempts to gain unauthorized access. Configure all event logs, user access and admin access logs for SYSLOG forwarding to ensure offline log availability and to protect against tampering.
Mandiant’s Remediation Guidance
Preserve a forensic image of the impacted devices; backup the appliance configuration and then do a factory reset, not once, but TWICE.
Apply Ivanti’s official patch, or if one if not available yet, apply the company’s recommendation mitigation.
Restore device, revoke or rotate/reissue any secrets, stored certificates, API keys, local user passwords on the device prior to compromise. This includes the admin enable password.
Mandiant’s Recommended Hardening Measures
Restrict egress communications from affected appliances; disable admin access to the appliance from external/Internet-facing port; enable source-based IP restrictions; enable MFA for admin access; disable session roaming; enforce session limits; disable persistent access; enable the “Remove Browser Session Cookies” feature and enable “HTTP Only Device Cookie”.