CISA Emergency Directive Demands Action on Ivanti Zero-Day Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has kicked off the year with an emergency directive that demands immediate action from Federal Civilian Executive Branch (FCEB) agencies. This directive is in response to the discovery of zero-day vulnerabilities in products from Ivanti, a Utah-based software company.  

Tell me more about the Ivanti zero-day vulnerabilities 

On January 10, 2024, Ivanti publicly acknowledged the existence of vulnerabilities within its Connect Secure VPN and Policy Secure products. The day following this disclosure, the company observed a significant uptick in threat actor activity, indicating that these vulnerabilities were being actively exploited. The vulnerabilities in question are: 

• CVE-2023-46805: This authentication bypass vulnerability is found in the web component of Ivanti Connect Secure (versions 9.x, 22.x) and Ivanti Policy Secure. It allows a remote attacker to access restricted resources by bypassing control checks. 
• CVE-2024-21887: This is a command injection vulnerability in the web components of Ivanti Connect Secure (versions 9.x, 22.x) and Ivanti Policy Secure. An authenticated administrator can exploit this vulnerability over the internet by sending specially crafted requests, thereby executing arbitrary commands on the affected products.

When these two vulnerabilities are chained together, they could potentially allow attackers to move laterally within a target’s network, exfiltrate data and establish persistent system access by deploying backdoors. 

CISA has reported that approximately 15 agencies were using the vulnerable devices. However, these agencies have since mitigated the bugs swiftly and effectively. 

What is Nuspire doing?  

In response to these vulnerabilities, Nuspire has taken proactive measures to protect its clients. The firm is actively threat hunting for indications of compromise within client environments and is applying patches as they are released, in accordance with vendor recommendations. This approach ensures that Nuspire’s clients are protected from potential exploits as quickly and efficiently as possible. 

How should I protect myself from the Ivanti zero-day vulnerabilities 

Agencies running affected products are required to perform the CISA’s recommendations, which are detailed in the advisory. In addition, agencies must carefully follow Ivanti’s instructions to ensure a correct import and avoid service outages. 

The recommended actions include: 

• Revoking and reissuing any stored certificates. 
• Resetting the admin enable password. 
• Resetting stored API keys. 
• Resetting the password of any local user defined on the gateway, including service accounts used for auth server configuration(s). 

By taking these steps, agencies can help to mitigate the risk posed by these vulnerabilities and protect their systems and data from potential exploits.