Ivanti VPN vulnerability: How to defend against CVE-2023-46805, CVE-2024-21887

Two zero-day vulnerabilities have been found on Ivanti Connect Secure VPN (formerly Pulse Secure) and Ivanti Policy Secure appliances. When used in conjunction, CVE-2023-46805 and CVE-2024-21887 can cause great harm to an organization. Learn how you can mitigate your risk.

Updated Feb 1, 2024: Patch release, and new CVE identified.
  • Jan 31st, 2024: Ivanti released the first round of patches for these vulnerabilities.
  • Alongside the publication of the patches, Ivanti also announced it had discovered two more vulnerabilities: CVE-2024-21893, which is known to be exploited in the wild, and CVE-2024-21888.

(Following is our original post as of Jan 29th)

In early January, the Utah-based IT software company Ivanti disclosed two vulnerabilities in its Ivanti Connect Secure VPN (formerly Pulse Secure) and Ivanti Policy Secure appliances. The two vulnerabilities, for which CVE-2023-46805 and CVE-2024-21887 were assigned, impact all supported versions – Version 9.x and 22.x. The vulnerabilities were already exploited in the wild at the time of publishing, and because they didn’t have an official patch, they were considered zero-day vulnerabilities.

Ivanti initially asserted that the issue, first detected by cyber forensics firm Volexity, affected only a small number of customers. However, in a follow-up advisory, Ivanti acknowledged that it “observed a sharp increase in threat activity and security researcher scans.”

These vulnerabilities are far-reaching enough for the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to publish an emergency directive. In it, they state that “based on widespread exploitation of vulnerabilities by multiple threat actors, the prevalence of the affected products,…the high potential for a compromise,…the impact of a successful compromise, and the complexity of the proposed mitigations” the Ivanti vulnerabilities “pose an unacceptable risk to Federal Civilian Executive Branch (FCEB) agencies and require emergency action.”

Exploitation attempts have become even more common after proof-of-concept code appeared online a week after the disclosure of the vulnerabilities.

The vulnerabilities

Although there are two distinct vulnerabilities, when they are used in conjunction, they cause the most damage. Here’s what we know:

CVE-2023-46805 is an authentication bypass vulnerability in the web component of Ivanti Connect Secure (formerly known as Pulse Secure) and Ivanti Policy Secure. It received a CVSS 3.1 base score of 8.2, which means that it is of high severity. A successful exploit of the issue would allow a remote attacker to bypass control checks and access restricted resources.

CVE-2024-21887 is a command injection vulnerability in multiple web components of Ivanti Connect Secure (formerly known as Pulse Secure) and Ivanti Policy Secure. It received a CVSS 3.1 base score of 9.1, which means that it is of critical severity. Attackers would have to get administrator privileges to exploit this vulnerability, but once they get them, they can execute code on the affected system.

It is important to note that while each vulnerability has a relatively high individual CVSS score, when exploited together, these vulnerabilities pose a threat even more significant than reflected in their standalone risk score. Bypassing control checks when exploiting CVE-2023-46805 could pave the way for an attacker to gain the administrator privileges he or she needs to conduct a successful exploitation of CVE-2024-21887. That, in turn, could lead to stealing configuration data, downloading remote files, and backdooring legitimate files to allow remote code execution. The researchers who discovered the vulnerabilities already observed indications for all of these, in addition to other damages.

Solution information

As of publication, Ivanti had yet to release an official patch, and the anticipated initial patch, during the week of January 22nd, has been delayed. In the meantime, they have provided mitigation recommendations and suggest running its external Integrity Checker Tool (ICT), to which it added a new functionality aimed at detecting threat activity that may be associated with these vulnerabilities. However, Ivanti makes it clear that the ICT provides a snapshot of the current state of the appliance and cannot necessarily detect such activity in real-time. Moreover, using it may degrade some features of its products, as detailed in the company advisory.

How Skybox helps

The Skybox Research Lab added the two vulnerabilities to our threat intelligence feed the day they were made public. Since the patch release 1/31/2024, Skybox has also added these details as well as the two newly discovered vulnerabilities. Customers using Skybox Vulnerability and Threat Management solution and having one or both of the vulnerable products in their organization’s network will be able to detect them through our vulnerability discovery capabilities. That also informs customers how many occurrences of a vulnerability exist across their organization, the exposure level of each asset to the relevant attack vector, and provides them with a custom made risk score based on these factors. Skybox threat intelligence provides up-to-date information on mitigation possibilities and prescribes compensating security controls to mitigate exposure risk on the customer’s network while waiting for an official patch to be released and adopted.