Two new Ivanti bugs discovered as CISA warns of hackers bypassing mitigations

IT company Ivanti said this week that it discovered two new vulnerabilities affecting its products while investigating bugs discovered earlier in the month.

The issues affect Ivanti’s Policy Secure and Ivanti Connect Secure VPN products, which are used widely across the U.S. government and other industries. The two vulnerabilities — referred to as CVE-2024-21888 and CVE-2024-21893 — affect all supported versions.

The company said “a small number of customers” have been impacted by CVE-2024-21893, which allows an attacker "to access certain restricted resources without authentication.” It has no evidence of any customers being affected by CVE-2024-21888, which allows a hacker to elevate their privileges to that of an administrator, providing wider access to a victim's network.

“Upon learning of these vulnerabilities, we immediately mobilized resources and the patch is available now… It is critical that you immediately take action to ensure you are fully protected,” the company said.

Changing patch schedule

The company’s advisory came one day after concerns were raised by the U.S. government and security experts about the mitigations publicized for two other Ivanti bugs — CVE-2023-46805 and CVE-2024-21887. Experts have warned for weeks that hackers are exploiting the bugs because they allow attackers “to move laterally, perform data exfiltration, and establish persistent system access, resulting in full compromise of target information systems.”

The bugs were of such concern to cybersecurity officials within the U.S. government that they took the extraordinary step of mandating that all federal civilian agencies patch them immediately.

In a press briefing two weeks ago, a senior CISA official said the agency has “observed some initial targeting of federal agencies” and is investigating each situation. The official explained that there are “around 15 agencies that were using these products” but declined to confirm if any dealt with compromises.

The agencies using the tools cover “a wide spectrum … across the breadth of the federal mission,” the official said.

On Tuesday, CISA warned that hackers are still leveraging the vulnerabilities to steal credentials and enable further access to compromised networks.

“Some threat actors have recently developed workarounds to current mitigations and detection methods and have been able to exploit weaknesses, move laterally, and escalate privileges without detection,” the agency said.

“CISA is aware of instances in which sophisticated threat actors have subverted the external integrity checker tool (ICT), further minimizing traces of their intrusion.”

Patch rollout

Ivanti released the first batch of patches for the two vulnerabilities on Wednesday but noted that patches for other supported versions will still be released on a staggered schedule.

“We are recommending as a best practice that all customers factory reset their appliance before applying the patch to prevent the threat actor from gaining upgrade persistence in your environment. Historically we have seen this threat actor attempt to gain persistence in customers’ environment, which is why we are recommending this action as a best practice for all customers,” the company said.

Security firm Mandiant — which worked alongside cybersecurity company Volexity in analyzing exploitation of the two bugs — released an updated blog confirming that hackers based in China are continuing to exploit the vulnerabilities.

Since their initial blog post, Mandiant incident responders said they have seen exploitation expand beyond Chinese espionage hackers to several other hacking operations. The company outlined the variety of backdoors and malware hackers are deploying after compromise in order to keep their access to breached systems.

Ken Dunham, cyber threat director at Qualys Threat Research Unit, said Ivanti is likely being targeted because of the functionality and architecture it provides actors. It provides hackers with access networks and downstream targets of interest, Dunham added.

“These Ivanti high-security flaws are serious and should be patched immediately. Vulnerabilities that enable users to elevate privileges to the administrator level or provide access to restricted resources without authentication have proven to be particularly valuable for attackers,” said Keeper Security’s Patrick Tiquet.