A new American emergency directive will see federal agencies disconnect all Ivanti Connect Secure (VPN) or Ivanti Policy Secure devices by midnight, Friday, Feb. 2.
These products are vulnerable, and the threats range from sophisticated actors exploiting vulnerabilities for unauthorized access and command execution, to potential data breaches and system compromises, CISA (the U.S. Cybersecurity & Infrastructure Agency) revealed in its directive on Wednesday.
“Agencies running affected products—Ivanti Connect Secure or Ivanti Policy Secure solutions—are required to immediately perform the following tasks: As soon as possible and no later than 11:59PM on Friday February 2, 2024, disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks,” CISA said.
“CISA has determined these conditions pose an unacceptable risk to Federal Civilian Executive Branch (FCEB) agencies and require emergency action,” it added in an earlier directive.
Ivanti’s security solutions, specifically Ivanti Connect Secure (VPN) and Ivanti Policy Secure (administration access), are integral to the cybersecurity framework of numerous U.S. federal agencies.
CISA now urges U.S. federal agencies to hunt for threats and monitor critical services for any signs of compromise. Federal U.S. agencies are reminded to treat domain accounts associated with the affected products as compromised.
What’s Happening?
CISA first warned about the vulnerabilities on Jan 19, which it said Ivanti had released security patches for earlier on Jan. 10.
“Successful exploitation of the vulnerabilities in these affected products allows a malicious threat actor to move laterally, perform data exfiltration, and establish persistent system access, resulting in full compromise of target information systems,” CISA said.
The vulnerabilities were specifically identified as CVE-2023-46805, an authentication bypass vulnerability, and CVE-2024-21887, a command injection vulnerability. CISA’s determination of the severity of the threat is based on the widespread exploitation of these vulnerabilities by multiple threat actors and the high potential for a compromise of agency information systems.
However, adding to the complexity, new vulnerabilities were identified on Wednesday, including a privilege escalation vulnerability and a server-side request forgery vulnerability, which could give attackers even more control over compromised systems. To address these issues, agencies are required to immediately implement Ivanti’s published mitigation and utilize Ivanti’s External Integrity Checker Tool to prevent future exploitation.
CISA’s Security Recommendations
CISA key recommendations to agencies (or anyone running Ivanti Connect Secure or Ivanti Policy Secure) are as follows:
- Immediate Disconnection: Organizations are instructed to disconnect the vulnerable products from their networks to prevent exploitation.
- Threat Hunting and Monitoring: Continuous monitoring and threat hunting are advised to identify any signs of compromise or ongoing attacks.
- Patch and Update: Ivanti has released patches and updates to address these vulnerabilities. Organizations must apply these fixes and follow specific remediation steps outlined by Ivanti and CISA.
Furthermore, CISA mandated resetting these devices following Ivanti’s guide, updating software, reapplying configurations, and changing all associated security credentials.
By Feb. 5, 2024, agencies must report their compliance status to CISA using a provided template, ensure continuous updates, and by March 1, reset passwords and security tokens for all related accounts, with a final compliance report due.
CISA will support agencies by providing reporting templates, identifying threats, offering technical assistance, and maintaining communication on compliance and threat mitigation efforts. A report detailing agency compliance and unresolved issues will be delivered to key government officials by June 1, 2024.
Meanwhile, we recommend using a vetted, high-quality VPN (virtual private network) service like NordVPN — which has passed several security audits, proving its servers and infrastructure are secure — to be as safe as possible from critical vulnerabilities that threat actors can exploit.
We also recommend NordVPN, our leading provider, due to its other cybersecurity features, which include Threat Protection.
For more news, follow us on X (Twitter), Threads, and Mastodon!
