Security firm Volexity says it has discovered active exploitation of two zero-day vulnerabilities in Ivanti Connect Secure VPN, with the two flaws being chained to allow an unauthenticated remote control exploit.
In a detailed blog post, the company said it had discovered the exploitation during the second week of December 2023, through one of its Network Security Monitoring service customers.
Having found suspicious lateral movement, Volexity researchers Matthew Meltzer, Robert Jan Mora, Sean Koessel, Steven Adair and Thomas Lancaster wrote closer inspection had found an attacker placing webshells on multiple internal and external-facing Web servers.
"These detections kicked off an incident response investigation across multiple systems that Volexity ultimately tracked back to the organisation's internet-facing Ivanti Connect Secure VPN appliance (formerly known as Pulse Connect Secure, or simply Pulse Secure)," they wrote.
{loadposition sam08}"A closer inspection of the ICS VPN appliance showed that its logs had been wiped and logging had been disabled. Further review of historic network traffic from the device also revealed suspect outbound and inbound communication from its management IP address."
Volexity said analysis of one memory sample it collected uncovered the exploit chain used by the attacker, namely that two different zero-day exploits were being chained together to achieve unauthenticated remote code execution.
Ivanti has issued its own security advisories for the two vulnerabilities and released pre-patch mitigations for the issues. Full patches will be released on a staggered schedule beginning on 22 January.
Mike Walters, president and co-founder of risk-based patch management software vendor Action1, said: "The first vulnerability, CVE-2023-46805, is an authentication bypass vulnerability that allows remote attackers to access restricted resources without proper authorisation.
"The second vulnerability, CVE-2024-21887, is a command injection vulnerability that enables authenticated administrators to execute arbitrary commands on the appliance through specially crafted requests. These vulnerabilities together create a potent attack vector for cybercriminals to gain control of vulnerable systems and execute malicious commands effortlessly."
He said the impact seemed substantial, affecting all supported versions of Ivanti Connect Secure and Ivanti Policy Secure gateways, with more than 15,000 exposed devices online, as reported by Shodan.
"Exploitation can lead to arbitrary command execution, MFA bypass, and potentially full system compromise. Organisations that have not yet applied available mitigations and those lacking proper security measures like firewalls and intrusion detection systems are likely to experience the most severe consequences," Walters added.
In July last year, Ivanti made headlines when it was revealed that the company had initially blocked access to a security advisory about an exploitable zero-day in its Endpoint Manager Mobile software, formerly known as MobileIron Core.
Later the US-based endpoint software management firm apparently had second thoughts and opened up access to the advisory following an inquiry from iTWire.
Walters said both vulnerabilities had already been exploited in the wild, with evidence of threat actors attempting to manipulate Ivanti's Internal Integrity Checker.
"To exacerbate the situation, patches will not be available on a staggered schedule until the week of 22 January, leaving organisations exposed to potential attacks until then," he added.
"It is crucial for organisations to take immediate action by importing the available mitigation release from Ivanti's download portal."
Update, 12 January: Satnam Narang, senior staff research engineer at security firm Tenable, underlined the fact that the lack of a patch for the Ivanti vulnerabilities was of great concern.
"The anticipated wait time for a patch is several weeks – some product users will have to wait until February for a patch," he said.
"As soon as a proof-of-concept is available for this exploit chain, we expect malicious activity to spike, especially based on historical activity targeting these products.
"Mitigations are available, but there's no 'easy button' as it's all on the end user to know about the existence of these vulnerabilities and know how to apply the mitigations. Impacted organisations need to apply these as soon as possible.”