How to remediate – Ivanti Connect Secure 9.x / 22.x Multiple Vulnerabilities

1. Introduction

Ivanti Connect Secure is a VPN solution affected by multiple vulnerabilities that allow attackers to bypass security checks, execute commands, and escalate privileges. This impacts businesses using this software to provide remote access as it could lead to complete compromise of the appliance and potentially the internal network. Affected systems are typically those running Ivanti Connect Secure 9.x or 22.x. Impact on confidentiality, integrity, and availability is likely to be high if exploited successfully.

2. Technical Explanation

The Ivanti Connect Secure VPN solution versions 9.x and 22.x contain multiple vulnerabilities stemming from flaws in the web component. These include an authentication bypass (CVE-2023-46805), a command injection vulnerability (CVE-2024-21887) and a privilege escalation vulnerability (CVE-2024-21888). An attacker could exploit these vulnerabilities to gain unauthorized access, execute arbitrary commands on the appliance, or elevate their privileges to administrator level. These exploits can be launched remotely over the internet.

• Root cause: The authentication bypass is due to insufficient control checks in the web component. The command injection vulnerability arises from improper handling of user-supplied input within the web components. Privilege escalation occurs because of a flaw in the web component allowing users to elevate privileges.
• Exploit mechanism: An attacker can exploit the authentication bypass by sending specially crafted requests that circumvent normal login procedures. For the command injection, an authenticated administrator needs to send malicious requests. The privilege escalation vulnerability allows a user to gain administrator access through manipulation of the web component.
• Scope: Ivanti Connect Secure versions 9.x and 22.x are affected.

3. Detection and Assessment

To confirm if a system is vulnerable, first check the installed version of Ivanti Connect Secure. A thorough method involves reviewing logs for suspicious activity related to authentication attempts or command execution.

• Quick checks: Check the application’s self-reported version number via the administration interface.
• Scanning: Nessus has not tested directly, but relies on the reported version number. Other vulnerability scanners may have signatures based on these CVEs; check your scanner documentation for details.
• Logs and evidence: Review Ivanti Connect Secure logs for unusual authentication attempts or unexpected command executions. Specific log paths will depend on configuration.

# Example command placeholder:
# No specific command available to confirm exposure directly, rely on version check in the UI.

4. Solution / Remediation Steps

Apply the vendor-provided patch or upgrade to a fixed version of Ivanti Connect Secure. Follow these steps carefully to minimize disruption.

4.1 Preparation

• A change window may be required, and approval from relevant stakeholders is recommended.

4.2 Implementation

1. Step 1: Download the latest patch or upgrade package from Ivanti’s official support portal.
2. Step 2: Stop the Ivanti Connect Secure service.
3. Step 3: Install the downloaded patch or upgrade package following the vendor’s instructions.
4. Step 4: Restart the Ivanti Connect Secure service.

4.3 Config or Code Example

Before

# No specific config example available, as this is a software vulnerability requiring patching/upgrading.  Ensure you are running an unsupported version.

After

# Verify the installed version after applying the patch to confirm it's updated to a secure release.

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help mitigate risks associated with this vulnerability type. Least privilege reduces the impact of successful exploitation, while input validation prevents malicious data from being processed. A robust patch cadence ensures timely application of security updates.

• Practice 1: Implement least privilege to limit the damage an attacker can cause if they gain access.
• Practice 2: Enforce input validation on all user-supplied data to prevent command injection attacks.

4.5 Automation (Optional)

# No automation script provided as this requires patching/upgrading which is best done manually with backups in place.

5. Verification / Validation

• Post-fix check: Verify the installed version via the administration interface; it should reflect the updated, patched version.
• Re-test: Check the application’s self-reported version number again to confirm the update was successful.
• Smoke test: Test basic VPN connectivity and functionality to ensure the service is operating as expected.

# Post-fix command and expected output:
# Check version in UI - Expected Output: Version X.Y.Z (patched version)

6. Preventive Measures and Monitoring

Update security baselines to include the latest patched versions of Ivanti Connect Secure. Incorporate vulnerability scanning into CI/CD pipelines to identify similar issues early in the development lifecycle. Implement a regular patch review cycle.

• Baselines: Update your security baseline or policy to require the latest Ivanti Connect Secure version.
• Pipelines: Add vulnerability scanning tools to your CI/CD pipeline to detect known vulnerabilities in software dependencies.
• Asset and patch process: Establish a regular patch review cycle (e.g., monthly) to ensure timely application of security updates.

7. Risks, Side Effects, and Roll Back

• Risk or side effect 1: Temporary service interruption during patching/upgrading. Mitigation: Schedule maintenance window and notify users.
• Risk or side effect 2: Compatibility issues with other systems. Mitigation: Test the patch in a non-production environment first.

8. References and Resources

• Vendor advisory or bulletin: https://www.ivanti.com/security-advisories
• NVD or CVE entry: https://nvd.nist.gov/vuln/detail/CVE-2023-46805
• Product or platform documentation relevant to the fix: https://community.ivanti.com/