Security News > 2024 > January > Ivanti: VPN appliances vulnerable if pushing configs after mitigation

Ivanti: VPN appliances vulnerable if pushing configs after mitigation
2024-01-22 18:24

Ivanti warned admins to stop pushing new device configurations to appliances after applying mitigations because this will leave them vulnerable to ongoing attacks exploiting two zero-day vulnerabilities.

"Customers should stop pushing configurations to appliances with the XML in place, and not resume pushing configurations until the appliance is patched," Ivanti said in a new update published on Saturday.

Ivanti ICS and IPS appliances have been targeted in large-scale attacks chaining the CVE-2023-46805 authentication bypass and the CVE-2024-21887 command injection bugs since at least December.

While the company has yet to release security patches, it has released mitigation measures that should block attack attempts and recovery instructions designed to help admins restore impacted appliances and bring them back into service.

Shadowserver also monitors how many Ivanti Connect Secure VPN instances are being compromised worldwide daily, with over 700 compromised appliances discovered on January 21 alone.

Threat intelligence company Volexity said that one of the attackers actively exploiting the two zero-days-a suspected Chinese state-backed threat group tracked as UTA0178, also monitored by Mandiant as UNC5221-has already backdoored more than 2,100 Ivanti appliances using a GIFTEDVISITOR webshell variant.


News URL

https://www.bleepingcomputer.com/news/security/ivanti-vpn-appliances-vulnerable-if-pushing-configs-after-mitigation/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2024-01-12 CVE-2024-21887 Command Injection vulnerability in Ivanti Connect Secure and Policy Secure
A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
network
low complexity
ivanti CWE-77
critical
9.1
2024-01-12 CVE-2023-46805 Improper Authentication vulnerability in Ivanti Connect Secure and Policy Secure
An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.
network
low complexity
ivanti CWE-287
8.2