Overview

Ivanti has issued an advisory on two critical zero-day vulnerabilities discovered in Ivanti Connect Secure VPN and Ivanti Policy Secure appliances. The vulnerability could lead to unauthenticated remote code execution.

Description

CVE-2024-21887 (CVSS score of 9.1) is a command injection vulnerability, and CVE-2023-46805 (CVSS score of 9.1) is an authentication bypass vulnerability. Both vulnerabilities impact all supported versions of the Ivanti Connect Secure (formerly Pulse Secure) and Ivanti Policy Secure gateways, including versions 9.x and 22.x. When these vulnerabilities are exploited together they allow threat actors to execute arbitrary commands on the system without requiring authentication.

Impact

Successful exploitation of this vulnerability may allow a remote attacker to take control of the affected system.

Solution

Ivanti has released a workaround to provide mitigation while the patch is in development. Workaround: https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

References

• 1. https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
• 2. https://www.sdxcentral.com/articles/news/ivanti-calls-for-immediate-action-on-two-critical-zero-day-vulnerabilities/2024/01/