Ivanti vows to transform its security operating model, reveals new vulnerabilities

Ivanti has released patches for new DoS vulnerabilities affecting Ivanti Connect Secure (SSL VPN solution) and Ivanti Policy Secure (NAC solution), some of which could also lead to execution of arbitrary code or information disclosure.

Also, three months since attackers started exploiting a string of zero-days in Ivanti Connect Secure and bypassing mitigations for them, the company’s CEO has announced they will be accelerating security initiatives and improving security practices.

The patched vulnerabilities

Four vulnerabilities have been discovered and patched in all supported versions – 9.x and 22.x – of Ivanti Connect Secure and Ivanti Policy Secure:

CVE-2024-21894 and CVE-2024-22053 are heap overflow vulnerabilities, CVE-2024-22052 is a null pointer dereference vulnerability, and CVE-2024-22023 is an XEE vulnerability.

All four can be triggered by an unauthenticated attacker sending specially crafted requests to crash the service or cause resource exhaustion. If certain conditions are met, CVE-2024-21894 and CVE-2024-22053 could also allow the attacker to execute code or contents from memory.

“We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure,” Ivanti said on Tuesday. “If these vulnerabilities were used in an attack against a customer, the box would crash, and the service to end users would be disrupted.”

The company urged users to implement provided patches and to download and use the latest version of the external Integrity Checker Tool to verify the image installed on their virtual or hardware appliances and check for presence of new and/or modified binary files.

“[The ICT] is an additional layer of security for our customers and is always intended to be used in conjunction with continuous monitoring tools,” the company noted earlier this year, when dealing with the attacks.

Stemming the tide

In light of attackers’ increased focus of exploiting zero-days in enterprise-specific security solitions/appliances, Ivanti has judiciously decided to up their security game lest they lose more enterprise customers.

“We are taking a very close look at our own posture and processes to ensure we are well prepared to address the current landscape,” says Ivanti CEO Jeff Abbott.

“We have already begun applying learnings from recent incidents to make immediate improvements to our own engineering and security practices.”

The company intends to improve their products’ security by:

• Embracing “secure by design” principles, aided by threat modeling exercises
• Modernizing the stack of and implementing isolation and anti-exploit technologies in their network security products
• Providing solutions that are secure out of the box and can be managed, monitored and secured by Ivanti
• Increasing the number of people working on product security

They will also increase their vulnerability discovery and vulnerability remediation efforts, Abbott said, and will work on improving support for customers (including those who require a fully on-prem solution) and information sharing with the community.

That’s the plan, anyway – it now remains to be seen how quickly and how thoroughly it will be put into practice.