Ivanti patches bugs in Connect Secure and Policy Secure gateways

Comes on the heels of federal-level security concerns

IT security software company Ivanti has released security patches to fix four critical vulnerabilities affecting its Connect Secure and Policy Secure gateways.

The flaws (CVE-2024-21894, CVE-2024-22052, CVE-2024-22053 and CVE-2024-22023) pose a significant risk to businesses, including potential code execution and denial-of-service (DoS) attacks.

Technical details

• CVE-2024-21894: This flaw, with a CVSS score of 8.2, involves a heap overflow vulnerability in the IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. Exploitation by an unauthenticated malicious user could lead to a DoS attack and, under certain circumstances, permit arbitrary code execution.
• CVE-2024-22052: With a CVSS score of 7.5, this vulnerability relates to a null pointer dereference flaw in the IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. Like the previous flaw, it can be exploited by an unauthenticated user to initiate a DoS attack.
• CVE-2024-22053: Another heap overflow vulnerability within the IPSec component of the affected products, this flaw carries a CVSS score of 8.2. Similar to CVE-2024-21894, exploitation could result in a DoS attack or, under certain conditions, allow unauthorised access to memory contents.
• CVE-2024-22023: This vulnerability, rated at a CVSS score of 5.3, pertains to an XML entity expansion within the SAML component of Ivanti Connect Secure and Ivanti Policy Secure. An unauthenticated attacker could leverage specially crafted XML requests to trigger temporary resource exhaustion, leading to a limited-time DoS scenario.

Ivanti has not identified any instances of customer exploitation yet, but is still urging users to apply the provided security patches promptly.

The recent flurry of security concerns comes on the heels of multiple issues Ivanti has addressed in recent months.

The US Cybersecurity and Infrastructure Security Agency (CISA), alongside Ivanti and numerous security firms, sounded the alarm in early January regarding two vulnerabilities purportedly exploited by Chinese state-sponsored espionage hackers. Subsequently, cybercriminals and other entities sought to exploit these vulnerabilities.

The following month, CISA was compelled to take two systems offline after hackers breached its defences through security flaws in Ivanti products. CISA warned that attackers exploiting vulnerabilities in Ivanti VPN appliances can maintain a presence on infected devices, even after a factory reset.

On 1st February, CISA directed federal agencies to deactivate their deployments of Ivanti Connect Secure and Policy Secure.

Weeks later, the agency cautioned organisations about threat actors exploiting four Ivanti vulnerabilities identified as CVE-2023-46805, CVE-2024-21887, CVE-2024-22024 and CVE-2024-21893.

Ivanti's response and future measures

In an open letter penned by Ivanti's CEO Jeff Abbott on 3rd April, the company reaffirmed its commitment to addressing security concerns.

"Events in recent months have been humbling, and I want you to hear directly from me about the actions we are taking to ensure we emerge stronger, and our customers are more secure," Abbott said.

He outlined a strategic plan to overhaul Ivanti's security operating model. The plan includes integrating secure-by-design principles, fostering transparent communication with customers and revamping Ivanti's core engineering, vulnerability management and security practices.

"We have engaged the industry's most recognised security and product development experts to support the Ivanti team's review and to provide best-in-class execution guidance, ensuring we meet our commitment to you," he said.

"This plan is backed by a significant investment and has the full support of our board of directors and everyone at Ivanti."