How to remediate – Ivanti Policy Secure 9.x / 22.x Multiple Vulnerabilities

1. Introduction

Ivanti Policy Secure is a Network Access Control (NAC) solution used by many organisations to manage device access. This vulnerability affects versions 9.x and 22.x, potentially allowing attackers to bypass security controls, execute commands on the appliance, or escalate privileges. Successful exploitation could compromise confidentiality, integrity, and availability of network resources.

2. Technical Explanation

The Ivanti Policy Secure web component contains multiple vulnerabilities that can be exploited remotely. An authentication bypass allows access to restricted resources without proper credentials. A command injection vulnerability enables authenticated administrators to execute arbitrary commands on the appliance via crafted requests, and a privilege escalation flaw permits users to gain administrator privileges. These issues stem from insufficient input validation and flawed access controls within the web application.

• Root cause: Insufficient input validation in the web component allows for command injection and authentication bypass. Flawed access checks permit privilege escalation.
• Exploit mechanism: An attacker can exploit the authentication bypass by sending a specially crafted request to the web interface, bypassing login controls. A malicious administrator could inject commands into requests processed by the appliance. A user can elevate privileges through manipulation of web component functionality.
• Scope: Ivanti Policy Secure versions 9.x and 22.x are affected.

3. Detection and Assessment

Confirming vulnerability requires checking the installed version of Ivanti Policy Secure. A thorough assessment involves reviewing logs for suspicious activity.

• Quick checks: Check the application’s self-reported version number via the web interface or command line (if available).
• Scanning: Nessus has not tested for this issue but relies on the application’s reported version. Other vulnerability scanners may have signatures based on these CVEs.
• Logs and evidence: Review Ivanti Policy Secure logs for authentication failures, unusual requests, or unexpected command executions. Specific log paths depend on configuration.

4. Solution / Remediation Steps

Apply the vendor-provided patch for Ivanti Policy Secure to address these vulnerabilities. Follow a careful process to minimise disruption.

4.1 Preparation

• Services: No services need to be stopped, but plan for potential downtime during patching.

4.2 Implementation

1. Step 1: Download the latest patch from the Ivanti support portal.
2. Step 2: Install the patch on the Ivanti Policy Secure appliance following the vendor’s instructions.
3. Step 3: Restart the appliance if required by the patching process.

4.3 Config or Code Example

No configuration changes are needed, this is a software update.

Before

After

4.4 Security Practices Relevant to This Vulnerability

Implementing least privilege and a robust patch management process can help mitigate risks associated with this vulnerability.

• Practice 1: Least privilege reduces the impact of successful exploitation by limiting user access rights.
• Practice 2: A regular patch cadence ensures timely application of security updates, reducing exposure to known vulnerabilities.

4.5 Automation (Optional)

Automation is not generally available for this specific patching process.

5. Verification / Validation

Confirm the patch installation and verify that the vulnerabilities are no longer present. Perform basic service smoke tests to ensure functionality remains intact.

• Re-test: Re-run vulnerability scans to confirm the issue is resolved.
• Smoke test: Test user login and basic network access functionality.
• Monitoring: Monitor logs for authentication attempts or unusual activity.

6. Preventive Measures and Monitoring

Regular security baselines, vulnerability scanning, and a strong patch management process are key preventive measures.

• Baselines: Update security baselines to include the latest Ivanti Policy Secure version requirements.
• Asset and patch process: Implement a regular patch review cycle for all critical systems, including Ivanti Policy Secure.

7. Risks, Side Effects, and Roll Back

Patching may cause temporary service disruption. Have a rollback plan in place.

• Risk or side effect 1: Patch installation could temporarily interrupt network access.
• Roll back: Restore the appliance from the pre-patch backup if issues occur during patching.

8. References and Resources

Refer to Ivanti’s official security advisories for detailed information on this vulnerability.

• Vendor advisory or bulletin: http://www.nessus.org/u?11330e19
• NVD or CVE entry: CVE-2023-46805, CVE-2024-21887, CVE-2024-21888