Ivanti VPN Zero-Day Vulnerability (CVE-2024-21887 and CVE-2023-46805)

Imechapishwa: Jan 15, 2024 15:22

Advisory No: TZCERT/SA/2024/01/15

Source: Ivanti

Software Affected: Version 9.x and 22.x

Overview

Ivanti has issued an advisory on two critical zero-day vulnerabilities discovered in Ivanti Connect Secure VPN and Ivanti Policy Secure appliances. The vulnerability could lead to unauthenticated remote code execution.

Description

CVE-2024-21887 (CVSS score of 9.1) is a command injection vulnerability, and CVE-2023-46805 (CVSS score of 9.1) is an authentication bypass vulnerability. Both vulnerabilities impact all supported versions of the Ivanti Connect Secure (formerly Pulse Secure) and Ivanti Policy Secure gateways, including versions 9.x and 22.x. When these vulnerabilities are exploited together they allow threat actors to execute arbitrary commands on the system without requiring authentication.

Impact

Successful exploitation of this vulnerability may allow a remote attacker to take control of the affected system.

Solution

Ivanti has released a workaround to provide mitigation while the patch is in development. Workaround: https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

Subscribe To TZ - CERT Newsletter

A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.

Subscribe
Ripoti Tukio