CVE-2024-21888 & CVE-2024-21893: Ivanti Discloses Two Major Zero-Day Vulnerabilities

CVE-2024-21888 & CVE-2024-21893

Today, Ivanti, a renowned player in the cybersecurity arena, disclosed two critical zero-day vulnerabilities within their Connect Secure (ICS) and Policy Secure (IPS) systems. These vulnerabilities have been actively exploited in the wild, signifying a new level of urgency in the cybersecurity world.

The first of these vulnerabilities, identified as CVE-2024-21888 with a CVSS score of 8.8, is a privilege escalation vulnerability lurking within the web component of Ivanti Connect Secure and Ivanti Policy Secure (versions 9.x, 22.x). This flaw allows a user to climb the privilege ladder and gain administrative control, a nightmarish scenario for any organization.

The second, CVE-2024-21893, scored at 8.2 on the CVSS scale, represents a server-side request forgery vulnerability within the SAML component of the same Ivanti systems, including Ivanti Neurons for ZTA. This vulnerability grants attackers the ability to access restricted resources without the need for authentication, opening the door to untold potential exploits.

CVE-2024-21888 & CVE-2024-21893

On January 10, 2024, Ivanti made another startling revelation. They disclosed two additional zero-days, CVE-2023-46805 and CVE-2024-21887, exploited by suspected Chinese hackers. The former is an authentication bypass in the appliance’s web component, allowing attackers to sidestep control checks. The latter is a command injection vulnerability, granting authenticated admins the power to execute arbitrary commands on vulnerable appliances.

The combination of these vulnerabilities is particularly lethal. When chained together, threat actors can run arbitrary commands on all supported versions of ICS VPN and IPS network access control (NAC) appliances without requiring authentication. This alarming situation led Ivanti to state, “CVE-2024-21888 allows for privilege escalation and CVE-2024-21893 is a server-side request forgery in the SAML component which allows a threat actor to access certain restricted resources without authentication. We have no evidence of customers being impacted by CVE-2024-21888 at this time, and we are aware of a limited number of customers impacted by CVE-2024-21887.

In response to these vulnerabilities, Ivanti has not only issued patches but has also taken proactive measures. A key recommendation is for customers to factory reset their appliance before applying the patch. This step is crucial to prevent the threat actor from maintaining a presence in the environment post-upgrade. Although this process could take 3-4 hours, it’s a necessary precaution in ensuring the integrity of the system.

For customers experiencing difficulties with the factory reset, Ivanti has made provisions for support through their knowledge base and support tickets. Furthermore, the company assures that patches for supported versions will be released on a staggered schedule, emphasizing the importance of security and quality in each release.

Ivanti strongly recommends upgrading to the latest version of Ivanti Connect Secure or Ivanti Policy Secure to benefit from the latest security and stability fixes. Detailed upgrade information is readily available on Ivanti’s forums, ensuring that customers are well-equipped to handle the upgrade process.

CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893 can be mitigated by importing mitigation.release.20240126.5.xml file via the download portal” the company wrote.