CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893 are vulnerabilities that affect Ivanti Connect Secure and Policy Secure gateways, which are products used by organizations to secure remote connections and manage network access policies. These vulnerabilities are actively exploited in the wild, with some indications that they have been used by adversaries as early as December 2023.
CVE-2023-46805 (Authentication Bypass): This vulnerability allows an attacker to bypass authentication on the web server, gaining unauthorized access. It has a CVSS score of 8.2 (High).
CVE-2024-21887 (Command Injection): This vulnerability allows an attacker to inject and execute arbitrary commands on the system. It has a CVSS score of 9.1 (Critical).
CVE-2024-21893: This vulnerability is a server-side request forgery vulnerability in the SAML components of Ivanti Connect Secure Policy Secure that allow attackers access to restricted information without proper authentication. This can be further leveraged to bypass authentication and execute arbitrary commands, when combined with other issues.
All three vulnerabilities are known to be actively exploited by attackers currently. When exploited, these vulnerabilities can be chained to achieve unauthenticated remote code execution (RCE) on vulnerable systems, resulting in attackers gaining complete control of affected devices without needing any valid credentials.
To remediate these vulnerabilities quickly, security teams are asking:
- Where in our environment do we run Ivanti Connect Secure and Policy Secure?
- Who owns these systems?
- How can we communicate the fix to system owners as quickly as possible?
- How can we gain a continuous view into how we’re tracking on fixing all vulnerabilities?
How Dazz Helps Customers Respond to Ivanti Vulnerabilities
Dazz helps customers respond to the Ivanti CVEs in three ways:
1. Consolidate all detection tools into one console to quickly identify all instances of this vulnerability
Dazz creates a data warehouse of all detected vulnerabilities from any and all tools you have in place. These could be infrastructure vulnerability scanners, attack surface management tools, and more. Once each vulnerability is ingested, we make it easy to find any specific CVE, including whether or not a fix is already in progress for it.
2. Accelerate responses by automatically creating tickets to asset owners when this vulnerability is found
Any filter in Dazz can then be used to trigger automations. For example, anytime Dazz sees these specific CVEs, you can automatically adjust the SLA date and create tickets in helpdesk platforms such as Jira and ServiceNow. Moreover, since Dazz can ingest business structure and asset ownership data, these tickets can be filed automatically to the right owner.
3. Track and report on the status of tickets so remediation progress can be communicated to stakeholders
Dazz also reports back the status of each ticket, so you can understand whether each instance of the CVE has been fixed without waiting on new scan results to confirm the presence of the CVE.
All of this can be visualized and tracked in a dashboard, where you can view remediation SLAs and tracking down to the individual level.
Exploitation and Mitigation
Ivanti released patches and mitigations to address these vulnerabilities in January 2024. It is crucial to apply these updates immediately if you use Ivanti Connect Secure or Policy Secure.
CISA Response to the critical vulnerabilities affecting Ivanti Connect Secure and Policy Secure gateways (CVE-2023-46805 and CVE-2024-21887), was to issue an Emergency Directive urging federal agencies to patch immediately, while a joint Cybersecurity Advisory with other agencies provided technical guidance to all organizations. CISA continues to monitor the situation for potential exploitation attempts.
Additional Resources
Ivanti Security Advisory
CISA Emergency Directive
NIST: CVE-2023-46805
NIST: CVE-2024-21887
NIST: CVE-2024-21893
MITRE: CVE-2023-46805
MITRE: CVE-2024-21887
MITRE: CVE-2024-21893
