Ivanti VPN Zero-Day Vulnerability (CVE-2024-21887 and CVE-2023-46805)

Advisory No: TZCERT/SA/2024/01/15

Date of First Release: 15^th January 2024

Source: Ivanti

Software Affected: Version 9.x and 22.x

Overview:

Ivanti has issued an advisory on two critical zero-day vulnerabilities discovered in Ivanti Connect Secure VPN and Ivanti Policy Secure appliances. The vulnerability could lead to unauthenticated remote code execution.

Description:

CVE-2024-21887 (CVSS score of 9.1) is a command injection vulnerability, and CVE-2023-46805 (CVSS score of 9.1) is an authentication bypass vulnerability. Both vulnerabilities impact all supported versions of the Ivanti Connect Secure (formerly Pulse Secure) and Ivanti Policy Secure gateways, including versions 9.x and 22.x.

When these vulnerabilities are exploited together they allow threat actors to execute arbitrary commands on the system without requiring authentication.

Impact:

Successful exploitation of this vulnerability may allow a remote attacker to take control of the affected system.

Solution:

Ivanti has released a workaround to provide mitigation while the patch is in development.

Workaround: https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

References:

1. https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
2. https://www.sdxcentral.com/articles/news/ivanti-calls-for-immediate-action-on-two-critical-zero-day-vulnerabilities/2024/01/