Report a cybercrime, cyber security incident or vulnerability.
Report

What are you looking for?

You can search for keywords to find pages that can help you e.g. scam
First published: 11 Jan 2024
Last updated: 01 Feb 2024

Content written for

Small & medium business
Large organisations & infrastructure
Government

This alert is relevant to Australians who are running or administering instances of Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS). These vulnerabilities impact all supported versions – Version 9.x and 22.x. This alert is intended to be understood by technical users.

Customers are encouraged to apply any available mitigations and patches as soon as possible.

ASD’s ACSC is aware a patch is now available to address the vulnerabilities.

Please see below advice from Ivanti:

ASD’s ACSC is aware of reports that threat actors have developed workarounds to the current mitigation and detection methods, leading to reported ongoing exploitation activity.

ASD’s ACSC strongly advises organisations operating vulnerable Ivanti Connect Secure and Ivanti Policy Secure products to conduct investigation and monitoring for potential compromise of systems. ASD’s ACSC recommends organisations monitor authentication, account usage and identity management services, and consider isolating systems from any enterprise resources as much as possible.

Ivanti has updated their mitigation advice warning Administrators to not push new device configurations to appliances after applying mitigations.

KB CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways

  • Ivanti advises customers not to push other configurations to appliances with the mitigation XML in place, until Ivanti releases a complete patch and it is applied.
  • When an alternative configuration is pushed to the appliance, it may prevent the mitigation from functioning.
  • This applies to customers who push configurations to appliances, including configuration pushes through Pulse One or nSA.
  • This can occur regardless of a full or partial configuration push.

Background / What has happened?

  • Ivanti has released security advisories and mitigations for 2 critical vulnerabilities in the Ivanti Connect Secure and Ivanti Policy Secure gateways.
  • CVE-2023-46805 is an authentication bypass vulnerability in the web component of ICS (9.x, 22.x) and IPS and allows a remote attacker to access restricted resources by bypassing control checks.
  • CVE-2024-21887 is a command injection vulnerability in web components of ICS (9.x, 22.x) and IPS and allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
  • Ivanti is aware of active exploitation of these vulnerabilities.

Affected versions / applications:

  • CVE-2023-46805: This vulnerability impacts all supported versions ICS (9.x, 22.x) and IPS
  • CVE-2024-21887: This vulnerability impacts all supported versions ICS (9.x, 22.x) and IPS

Mitigation / How do I stay secure?

Organisations that use Ivanti Connect Secure and/or Ivanti Policy Secure should follow the mitigations advice provided in the Ivanti Security Advisory below:

Assistance / Where can I go for help?

Organisations or individuals that have been impacted or require assistance can contact us via 1300 CYBER1 (1300 292 371).

Was this information helpful?

Thanks for your feedback!

Optional

Tell us why this information was helpful and we’ll work on making more pages like it