Ivanti Discloses Fifth Vulnerability, Doesn’t Credit the Researchers Who Discovered It • The Log
By revealing another vulnerability in the Connect Secure, Policy Secure and ZTA portals, Ivanti has confounded the outside researchers who discovered it.
Researchers at watchTowr blogged today that they did not take credit for the discovery of CVE-2024-22024 — the latest in a series of vulnerabilities affecting Ivanti gateways as the vendor continues to develop patches for supported versions.
The high-risk authentication bypass flaw only affects a limited number of supported versions, unlike its predecessor, Zero Day, and according to Ivanti, was discovered internally.
“As part of our ongoing investigation, we have discovered a new vulnerability as part of our internal review and testing of our code, which we are reporting as CVE-2024-22024,” the Ivanti article said.
However, watchTowr claims that its researchers were the first to bring the vulnerability to Ivanti’s attention on February 2, publishing screenshots of emails exchanged between it and Ivanti as proof.
Commenting on the above excerpt of Ivanti’s advisory, watchTowr said: “Today, Friday 9 February 2024, we are pleased to see that Ivanti has issued an advisory regarding this vulnerability.
“We found this comment a bit curious, but perhaps we have a new group of colleagues?” She went on to say that she was “surprised” to see the missing balance, but assumes it was done accidentally.
The vulnerability itself, which has pleased officials across the country, is not as serious as others revealed over the past few weeks.
In addition to having fewer versions at risk, versions that applied the updated mitigation introduced on January 31 are automatically protected.
Those who applied the patch to their devices when it became available and completed a factory reset of their device(s) are also protected. Ivanti said there was no evidence to suggest it was actively exploited as a zero-day, even though it was. Disputed.
The limited editions affected by the vulnerability are:
Ivanti Connect Secure (version 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1)
Ivanti Secure Policy (Version 22.5R1.1)
ZTA (version 22.6R1.3)
Similar to Fortinet recently, Ivanti has had a tough time with security lately.
In mid-January, the first reports emerged of zero-day exploits in Ivanti products by attackers who were either pro-China or sponsored by Beijing.
Since then, Ivanti has continued to work on developing patches on its own staggered schedule, meaning it develops patches for releases with the largest number of users, and works from there. In the meantime, it has issued a mitigation tool to keep people safe while they wait for patches.
This patch schedule was supposed to end on February 19, but when the first patch was announced at the end of January, Ivanti said this had been delayed.
What I also announced along with the first patch, and it would be funny if it weren’t so serious, is that when patching the first two zero days, I found two more vulnerabilities, one of which was also exploited as a zero day.
Better yet, Ivanti also said that the attackers created workarounds to the mitigation she provided, so she had to create a new solution and this still works to the best of our knowledge.
So there were four major security vulnerabilities in the space of a few weeks… and today the number is five.
Zero Days was under “full exploit” status within days, since proof-of-concept (PoC) code was published before Ivanti could develop patches. It was suspected at the time that 1,700 implanted devices had backdoors.
Underscoring the seriousness of the situation, CISA issued its second emergency directive last week directing federal agencies to completely separate the products. This followed an initial consultation adding the first two zero days to the “patch” list on the same day Ivanti revealed them.
The UK’s NCSC was also prompted into action today, publishing its own advice urging immediate patches for all five vulnerabilities in Ivanti. ®