Column

Ivanti’s VPN Vulnerability Crisis: A Triple Threat Unfolds

In this week’s tech corner, we’re diving into the escalating situation surrounding Ivanti’s VPN vulnerabilities—because it seems like when it rains, it pours. Just when we thought grappling with two exploited vulnerabilities was tough, hackers have upped the ante by throwing a third one into the mix over the weekend.

Let’s unpack this latest headache: CVE-2024-21893, a server-side request forgery, has joined the fray. Ivanti dropped the news about this vulnerability on January 22, alongside another issue that, thankfully, hasn’t been exploited yet. But it didn’t take long—just nine days later, Ivanti was ringing the alarm bells about active exploitation, adding more chaos to an already tumultuous period. These vulnerabilities are making themselves at home in Ivanti’s Connect Secure and Policy Secure VPN offerings.

It’s been a rough ride, especially with the backdrop of two other vulnerabilities already being heavily exploited, mainly by a group thought to be backed by the Chinese government. Ivanti was on its toes, providing guidance for the initial vulnerabilities on January 11 and following up with a patch last week. Meanwhile, the Cybersecurity and Infrastructure Security Agency (CISA) took a firm stance, instructing federal agencies to disconnect Ivanti VPN products until they’re thoroughly reworked and updated.

Despite these efforts, by Sunday, CVE-2024-21893’s exploitation had ballooned, affecting more than just a “small number of customers” as initially reported by Ivanti. A graph from security researchers at Shadowserver starkly illustrates this vulnerability’s rapid climb starting on Friday. And, at the time of writing, this newcomer’s exploitation levels have even surpassed those of the earlier vulnerabilities, CVE-2023-46805 and CVE-2024-21887.

Here’s the kicker: systems that were patched against the previous vulnerabilities were still left vulnerable to CVE-2024-21893. And there’s a particular allure to this new bug for hackers—it’s nestled in Ivanti’s take on the open-source Security Assertion Markup Language. This means that savvy attackers can sidestep normal authentication and waltz straight into the admin controls of the server.

Adding fuel to the fire, security firm Rapid7 released a proof-of-concept code on Friday, which probably didn’t help the situation. But it’s not just Rapid7’s code at play here—Shadowserver observed active exploits a few hours before the release. All these exploits seem to follow the same playbook, targeting a specific part of the Ivanti VPNs’ authentication process.

Now, why are VPNs such a hot target? They’re the gatekeepers to a network, the first line of defense. Once hackers breach a VPN, they often gain access to much more sensitive parts of a network. This whole saga has been a tough pill to swallow for Ivanti’s security reputation and has left security pros scrambling to contain the damage. The situation was made worse by a patch delay and hackers finding ways around Ivanti’s initial mitigation advice.

In light of these challenges and high stakes, CISA’s directive to rebuild all servers from the ground up after applying the latest patch seems like a wise move. While this directive is aimed at government agencies, given the turmoil and difficulties in securing Ivanti VPNs lately, it’s probably a smart play for everyone involved.

Leave a Reply

Your email address will not be published. Required fields are marked *