Learn extra on Ivanti vulnerabilities:
Unhealthy information continues to pile up for Utah-based IT software program supplier Ivanti as a brand new vulnerability has been found in its merchandise.
On February 8, Ivanti disclosed a brand new authentication bypass vulnerability impacting its Join Safe, Coverage Safe, and ZTA gateways.
This new vulnerability, recognized as CVE-2024-22024, is the newest of a collection of vulnerabilities found in a number of Ivanti merchandise since mid-January 2024 – specifically, so as of discovery, CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893.
The vulnerability is because of a flaw in Ivanti’s gateways’ Safety Assertion Markup Language (SAML) part, the a part of the gateway software program that handles this communication and helps guarantee safe authentication.
By exploiting this flaw, distant attackers can achieve entry to restricted sources on unpatched home equipment with out requiring any person interplay or authentication.
Though the corporate claimed the vulnerability was not being actively exploited, it urged its customers to implement the mitigation processes the corporate launched in one other advisory.
On February 14, content material supply community (CDN) supplier Akamai printed a report during which it noticed malicious exercise concentrating on this new vulnerability.
Akamai stated it noticed a peak of 240,000 requests and 80 IPs making an attempt to ship payloads on February 11.
Akamai commented: “Thus far, we now have solely been seeing payloads much like the unique proof-of-concept (PoC) [exploit] printed by watchTowr.”
WatchTowr, a crimson teaming agency, performed a proof-of-concept experiment to see how menace actors might exploit CVE-2024-22024. The corporate printed its outcome on February 9.
On the identical day, the Shadowserver Basis stated it noticed over 3900 Ivanti endpoints weak to CVE-2024-22024.
Ivanti Denies CVE-2024-22024 Exploitation
In an FAQ weblog submit additionally printed on February 14, Ivanti insisted that it hasn’t seen any exploitation of the most recent vulnerability, CVE-2024-22024.
“It’s unlucky that media experiences proceed to cowl statements and unverified numbers from third events which might be incorrect or inflated,” the corporate stated within the weblog submit.
Ivanti assessed that there was confusion between the exploitation of CVE-2024-21893 and CVE-2024-22024 as a result of each vulnerabilities are “in the identical part of code.”
“We beforehand confirmed the preliminary vulnerabilities disclosed on 10 January had been exploited by menace actors. Whereas the preliminary affect was very restricted, we noticed a pointy enhance in menace actor exercise and safety researcher scans following public disclosure of the problem, indicating international buyer affect on account of CVE-2023-46805, CVE-2024-21888 and CVE-2024-21893,” the Ivanti spokesperson added.
Sean Wright, head of software safety at Featurespace, criticized Ivanti’s response on social media.
Wright stated on X that Ivanti ought to have given substantial proof “backing up how they got here to [the] conclusion how the knowledge was incorrect.”
Ivanti Pulse Safe Accused of Operating on an Outdated OS
On February 15, provide chain safety supplier Eclypsiusm shared the results of reverse engineering work it performed after buying an Ivanti Pulse Safe firmware model 9.1.18.2-24467.1.
Eclypsium’s goal was to leverage a PoC exploit for CVE-2024-21893 that was launched by Rapid7 on February 2 to acquire a reverse shell to the PSA3000 equipment, subsequently exporting the gadget picture for follow-on evaluation utilizing the EMBA firmware safety analyzer.
The agency concluded: “Pulse Safe runs an 11-year-old model of Linux which hasn’t been supported since November 2020.”
Issues Over Legacy Software program Operating in Vital Infrastructure
Talking to Infosecurity, Jamie Boote, affiliate principal software program safety marketing consultant on the Synopsys Software program Integrity Group, commented: “The large scary sounding zero days get the overwhelming majority of the media consideration. The fact, nonetheless, is that the boring downside of unpatched vulnerabilities and legacy software program silently operating in essential infrastructure represents a a lot bigger danger ready to be uncovered by an enterprising attacker.
He defined that safety practitioners meet many hurdles once they wish to modernize their group’s technical stack, and these initiatives could be pushed again for months, if not years.
“Firmware is much more difficult as a result of IT groups and Ops could not have a very good view into community home equipment like routers, boundary units, and safety home equipment, so with out proactive investigation into these units, IT could not even notice that these home equipment have silently reached their end-of-life.”
In its FAQ weblog submit, Ivanti denied this declare: “The Ivanti Join Safe product isn’t weak on account of older variations of open supply code.
“Ivanti offers safety by growing and releasing patches to make this code safe inside the 9.x model of the product. The {hardware} for the 9.x model doesn’t have sufficient CPU to run a more moderen Linux kernel and as such the kernel limitations requires this older open supply code to used. The newer 22.x model of Ivanti Join Safe is constructed on a brand new Linux kernel and doesn’t have the older variations of open supply code in it. We formally launched an Finish of Life Notification for the 9.x {hardware} and software program product in July 2022.”
Ivanti Denies CISA Takedown Requirement
Lastly, Ivanti denied claims that the US Cybersecurity and Infrastructure Company (CISA) had informed US federal companies to interchange Ivanti merchandise.
“CISA’s directive was misinterpreted by media who solely reported on step one of the directions,” the corporate stated. “CISA made updates to their directive to appropriate this, after which additional up to date final week to make completely clear you can flip the product on after patching.”
The CISAs full directions are according to Ivanti’s personal directions and suggestions for its prospects from 31 January.
“We assist the Emergency Directive issued by CISA on 9 February and labored with CISA to develop the content material,” the Ivanti stated.
The directions are as follows:
- Take the answer out of manufacturing and search for indicators that the menace actor took further motion;
- Manufacturing unit reset, improve and patch;
- Put the equipment again into manufacturing.
![Fortnite x TMNT: Dimensions [Roguelike] – Official Trailer](https://sm.ign.com/t/ign_in/video/f/fortnite-x/fortnite-x-tmnt-dimensions-roguelike-official-trailer_96bv.640.jpg "Fortnite x TMNT: Dimensions [Roguelike] – Official Trailer")
