How to remediate – Ivanti Connect Secure Detection

1. Introduction

Ivanti Connect Secure Detection indicates that the web interface for Ivanti Connect Secure (formerly Pulse Connect Secure), an SSL VPN, is present on a remote host. This matters to businesses as vulnerable VPNs can allow attackers access to internal networks. Affected systems are typically those running Ivanti Connect Secure software. A successful exploit could compromise confidentiality, integrity and availability of data within the network.

2. Technical Explanation

The vulnerability lies in the presence of the Ivanti Connect Secure web interface, which may be subject to known exploits if not patched or properly configured. Attackers can attempt to exploit vulnerabilities through this interface to gain unauthorized access. Nessus detects the interface without credentials initially, and attempts version retrieval with provided HTTP credentials if available.

• Root cause: The presence of a potentially vulnerable Ivanti Connect Secure web interface.
• Exploit mechanism: Attackers can attempt known exploits against the detected interface to gain access to the VPN.
• Scope: Systems running Ivanti Connect Secure (formerly Pulse Connect Secure).

3. Detection and Assessment

To confirm vulnerability, check for the presence of the web interface and its version. A thorough method involves attempting to retrieve version information with credentials if available.

• Quick checks: Check running processes or network ports associated with Ivanti Connect Secure.
• Scanning: Nessus can detect this vulnerability using plugin ID 168739. This is an example only and other scanners may also be able to identify the interface.
• Logs and evidence: Review web server logs for requests targeting the Ivanti Connect Secure interface.

# Example command placeholder:
netstat -tulnp | grep 443

4. Solution / Remediation Steps

Apply the latest security patches and updates provided by Ivanti for Connect Secure. Follow a phased approach to minimize disruption.

4.1 Preparation

• Ensure you have access to the latest patch files from Ivanti’s support portal. A roll back plan involves restoring the pre-patch configuration and restarting the service.
• A change window may be required, with approval from IT security or network administrators.

4.2 Implementation

1. Step 1: Download the latest Ivanti Connect Secure patch from https://www.ivanti.com/products/connect-secure-vpn.
2. Step 2: Install the downloaded patch on the Ivanti Connect Secure server.

4.3 Config or Code Example

Before

# No specific configuration example available as this is a patch-based remediation. Check Ivanti documentation for version details prior to patching.

After

# Verify the installed patch version using the Ivanti Connect Secure web interface or command-line tools. Refer to Ivanti's documentation for specific commands.

4.4 Security Practices Relevant to This Vulnerability

Practices like a robust patch cadence and least privilege can help mitigate this vulnerability. Keeping software up to date reduces the window of opportunity for attackers, while limiting access minimizes potential damage.

• Practice 1: Implement a regular patch management cycle for all critical infrastructure components.
• Practice 2: Apply the principle of least privilege to restrict user access and reduce the impact of potential compromises.

4.5 Automation (Optional)

# Example PowerShell snippet for automated patch deployment (requires Ivanti's API):
# This is an example only and requires customization based on your environment.
# $ivantiServer = "your_ivanti_server"
# $patchID = "your_patch_id"
# Invoke-RestMethod -Uri "$ivantiServer/api/patches/$patchID/install" -Method Post

5. Verification / Validation

Confirm the fix by verifying the installed patch version and re-running the initial detection scan. Perform a basic service smoke test to ensure functionality remains intact.

• Post-fix check: Check the Ivanti Connect Secure web interface for the updated version number.
• Re-test: Run Nessus plugin ID 168739 again to confirm the vulnerability is no longer detected.
• Monitoring: Monitor Ivanti Connect Secure logs for any errors or unexpected behavior following the patch installation.

# Post-fix command and expected output (example):
# Check version via web interface - Expected Output: Version X.Y.Z (patched version)

6. Preventive Measures and Monitoring

Update security baselines to include the latest patch requirements for Ivanti Connect Secure. Implement automated vulnerability scanning in CI/CD pipelines to identify similar issues early on. Maintain a sensible patch review cycle that fits your risk profile.

• Baselines: Update security baselines or policies to reflect the required Ivanti Connect Secure version.
• Asset and patch process: Establish a regular patch review cycle for all critical infrastructure, including Ivanti Connect Secure.

7. Risks, Side Effects, and Roll Back

Patching may cause temporary service disruption or compatibility issues with other systems. A roll back plan involves restoring the pre-patch configuration and restarting the service.

• Risk or side effect 1: Potential for brief service interruption during patching. Mitigation: Schedule patching during off-peak hours.
• Risk or side effect 2: Compatibility issues with other systems. Mitigation: Test the patch in a non-production environment first.
• Roll back: Restore the pre-patch configuration and restart the Ivanti Connect Secure service.

8. References and Resources

• Vendor advisory or bulletin: https://www.ivanti.com/products/connect-secure-vpn
• NVD or CVE entry: Not applicable as this is a detection of the interface itself, not a specific exploit.
• Product or platform documentation relevant to the fix: https://community.ivanti.com/docs/DOC-13246