Ivanti VPN Zero-Day Combo Chained ‘by China’
2024-1-12 23:21:48 Author: securityboulevard.com(查看原文) 阅读量:13 收藏

Headshot of Ivanti CEO, Jeff AbbottUnder active exploitation since last year—but still no patch available.

A critical zero-day and another high-severity CVE are being chained together to attack users of Ivanti Connect Secure. The hackers—believed to be Chinese state actors—are using the unpatched vulns to break into networks and move laterally.

Ivanti CEO Jeff Abbott (pictured) is feeling the heat. In today’s SB Blogwatch, we see what his customers are thinking.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Zack Snyder’s STAR WARS.

I’d Normally Yell PATCH NOW — But You Can’t

What’s the craic? Jonathan Greig reports—“Ivanti customers urged to patch vulnerabilities”:

Still in the process of developing a patch
The issues relate to Ivanti Connect Secure — a widely-used VPN tool. One of the bugs … carries a severity score of 8.2. It allows a hacker to “access restricted resources by bypassing control checks.” The other … would help an attacker send commands to a device and has a severity score of 9.1. Ivanti warned that the hackers are using the vulnerabilities together.

This would not be the first time Chinese state actors have targeted Ivanti’s Connect Secure products. In April 2021 … hackers breached the systems of a number of U.S. government agencies, critical infrastructure entities and other private sector organizations.

Ivanti is still in the process of developing a patch. … Patches will be released on a staggered schedule based on the version of the tool a customer has, with the first coming out in the week of January 22. The last version will come out the week of February 19. … Customers can install a mitigation [and] monitor their network traffic for suspicious activity and analyze the logs. … Indicators of compromise will be shared with customers who have confirmed they have been affected.

More detail, please? Shweta Sharma obliges—“Chinese hackers exploit Ivanti VPN zero days for RCE attacks”:

All the supported versions
The researchers discovered that the vulnerabilities have been chained together to effect complete unauthenticated remote code execution. Individually, CVE-2023-46805 is an authentication-bypass vulnerability, while CVE-2024-21887 is a command injection vulnerability.

The vulnerabilities also affect Ivanti Policy Secure devices, a per individual subscription of Ivanti Secure Connect. All the supported versions (9.x to 22.x) of Ivanti VPN services are affected.

Horse’s mouth? Volexity’s Matthew Meltzer, Robert Jan Mora, Sean Koessel, Steven Adair and Thomas Lancaster—“Active Exploitation of Two Zero-Day Vulnerabilities”:

Chinese nation-state
The attacker leveraged these … two vulnerabilities … to steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance. [We] observed the attacker backdooring a legitimate CGI file … to allow command execution. … The attacker also modified a JavaScript file used by the Web SSL VPN component of the device in order to keylog and exfiltrate credentials for users logging into it. [This] allowed them to pivot to a handful of systems internally, and ultimately gain unfettered access to systems on the network.

[The] unknown threat actor … under the alias UTA0178 … is a Chinese nation-state-level threat actor. … It is critically important that organizations immediately apply the available mitigation from Ivanti and the patch that will follow. However, [this] will not resolve past compromise. It is important that organizations running ICS VPN appliances … look for any signs of successful compromise.

How well is Ivanti handling this problem? Kevin Beaumont—@[email protected]—is not impressed:

This is definitely being actively used in the wild – Ivanti have opted to hide that part, [hoping] customers and press are idiots. … It’s really widely used in enterprise space and government, so I would suggest it’s one to get skates on and may need a bunch of compromise assessments at larger orgs.

[But] most orgs don’t have the capability to detect suspected zero day exploitation of a VPN and call in … IR. They probably have Bob The Builder as an MSP and a security budget of 4 twigs.

Ivanti? Remind me. JEE and dark_15 do the honors:

Ivanti, formally Pulse Secure, formally Juniper, … formerly Netscreen, formerly Neoteris.

That’s quite the family tree. And Ivanti has vacuumed up other firms, says EvilSS:

Ivanti is having a month! There was a truckload of CVEs for their desktop management suite, now Pulse VPN is a problem—again.

Wish I could say I was surprised. I did a lot of work with AppSense going back almost a decade before they were bought then bought again by what became Ivanti. Ivanti ruined that group and it went from a product I recommended regularly for Citrix/VDI deployments to one I actively recommend against.

Yikes. gosand doesn’t sound surprised:

Having worked with mergers and acquisitions, one thing to look at is the company’s history and name changes are an immediate red-flag that requires further investigation. Many times companies will “re-brand” after breaches and whatnot to try and obfuscate who they were.

Are we being too hard on Ivanti? davidwr is more nuanced:

Perfection is unobtanium. … In the real world, I’ll settle for something like:
* Are your products and services the best I can get for the price I’m willing to pay? I need to know I’m not being robbed blind.
* Are you being honest about how good your products and services are? I need to know where my remaining vulnerabilities are.
* What level of support/updates are available and at what price? What level of expert human support is available if I need it, and at what price?

[But] if your company has a recent reputation for making stupid mistakes and not handling them well, I will probably still look elsewhere—even if the answers to the questions above are acceptable.

And siliconaddict damns Ivanti with faint praise:

There is no product on that planet that can’t be hit by a zero day. None.

It’s how they respond to the issue that should make you consider if you should drop them. Well, that and how often a zero day happens. If a company has this happen year after year after year … it should make you question the quality of their software.

Meanwhile, to myowntrueself be true: [You’re fired—Ed.]

Give them a break, they’ve been keeping this open for the NSA to use. … I don’t think they are doing too badly.

And Finally:

Surely time for a proper reboot?

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Ivanti

Recent Articles By Author


文章来源: https://securityboulevard.com/2024/01/ivanti-vpn-zero-day-china-richixbw/
如有侵权请联系:admin#unsafe.sh