Ivanti has finally released patches for two critical zero-day vulnerabilities, but said the update also covers two new bugs – one of which is being actively exploited in attacks.
Ivanti released details of CVE-2023-46805 and CVE-2024-21887 in mid-January, although it’s believed that Chinese actor UTA0178 (aka UNC5221) had been exploiting them as far back as early December 2023.
The zero-days impact its Connect Secure VPN product and Policy Secure network access control (NAC) offering and can be chained to allow an unauthenticated actor to craft malicious requests and execute arbitrary commands on the system.
New Vulnerabilities in Ivanti Connect Secure
Its new advisory published on January 31 – a week later than expected – included fixes for these and two newly discovered vulnerabilities.
- CVE-2024-21888 is a privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x), which allows a user to elevate privileges to that of an administrator. It has a CVSS score of 8.8.
- CVE-2024-21893 is a server-side request forgery flaw in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA, which allows an attacker to access certain restricted resources without authentication. It has a CVSS score of 8.2.
Ivanti claimed the latter is being actively exploited in the wild, with a “limited number of customers” currently impacted.
“We are reporting these vulnerabilities in this knowledge base article as it is resolved in the patch detailed below. We have also provided new mitigation for supported versions where the patch has not been released,” the security vendor continued.
“At the time of publication, the exploitation of CVE-2024-21893 appears to be targeted. Ivanti expects the threat actor to change their behavior and we expect a sharp increase in exploitation once this information is public – similar to what we observed on 11 January following the 10 January disclosure.”
Read more on Ivanti vulnerabilities: Ivanti Zero-Days Exploited By Multiple Actors Globally
Ivanti urged customers to factory reset their appliances before applying the patch, in order to prevent threat actors from gaining “upgrade persistence” in their environment.
“Historically we have seen this threat actor attempt to gain persistence in customers’ environment, which is why we are recommending this action as a best practice for all customers,” it added. “The remaining patches for supported versions will still be released on a staggered schedule. The timing of patch release is subject to change as we prioritize the security and quality of each release.”
Mandiant Discovers New Malware
In related news, security researchers discovered several new pieces of malware during their investigation of post-exploitation activity linked to the original Ivanti zero-day vulnerabilities.
Mandiant claimed to have identified “broad exploitation activity” from both UNC5221 and other unknown threat groups – with a “significant portion” performed through automated methods.
It listed a new webshell dubbed Bushwalk, which is being used in highly targeted attacks to bypass the initial mitigation provided by Ivanti on January 10. Also revealed by Mandiant were additional custom webshells, Framesting and Chainline, which enable arbitrary command execution.
“Mandiant has observed UNC5221 targeting a wide range of verticals of strategic interest to the People’s Republic of China (PRC) both pre and post disclosure, and early indications show that tooling and infrastructure overlap with past intrusions attributed to suspected China-based espionage actors,” Mandiant concluded.
“Additionally, Linux-based tools identified in incident response investigations use code from multiple Chinese-language Github repositories.”