Ivanti confirms 2 zero-day vulnerabilities are under attack

Volexity reported the vulnerabilities to Ivanti after discovering that suspected Chinese nation-state threat actors created an exploit chain to achieve remote code execution.

CISA urged enterprises to address two Ivanti zero-day vulnerabilities that remain unpatched amid reports of active exploitation by a Chinese nation-state threat actor.

Ivanti published a security advisory Wednesday for an authentication bypass vulnerability tracked as CVE-2023-46805 that affects Ivanti Policy Secure and a command injection flaw assigned CVE-2024-21887 in Ivanti Connect Secure (ICS) versions 9.x and 22.x. The zero-day vulnerabilities warranted a simultaneous alert from CISA warning users and administrators to apply workarounds while Ivanti develops patches. CISA also added the flaws to its Known Exploited Vulnerabilities catalog, which requires federal agencies to promptly remediate.

While CISA said Ivanti received reports of exploitation, Ivanti's security advisory did not address that threat. However, a separate blog post published by Volexity Wednesday revealed that the zero-day vulnerabilities were exploited by a nation-state actor. The cybersecurity vendor initially detected suspicious activity during the second week of December.

"Volexity currently attributes this activity to an unknown threat actor it tracks under the alias UTA0178. Volexity has reason to believe that UTA0178 is a Chinese nation-state-level threat actor," Volexity researchers wrote in the blog.

Prior to reporting the flaws to Ivanti, Volexity discovered that UTA0178 chained the zero-day vulnerabilities to achieve unauthenticated remote code execution on vulnerable systems. During the attack, Volexity observed the threat actor stealing configuration data, modifying existing files, downloading remote files and reverse tunneling from the ICS VPN appliance. While Volexity also stressed immediate action, the threat intelligence vendor said mitigations and even patches when released "will not resolve past compromise."

So far, only a limited number of customers have been compromised, but patches are not yet available.

"Ivanti is aware of less than 10 customers impacted by the vulnerabilities," Ivanti said in an email to TechTarget Editorial.

CVE-2023-46805 received a CVSS score of 8.2, and CVE-2024-21887 ranked higher with a 9.1 CVSS score. The latter was discovered in ICS, which features a remote access VPN -- a growing attack vector amid a rise in hybrid work.

Zero-trust access issues

Ivanti's security advisory also warned that if the vulnerabilities are chained, unauthorized attackers could execute arbitrary commands on the system. In addition, it addressed how the flaws could affect gateways used for control in its zero-trust access offering, Ivanti Neurons for ZTA. The good news is that the advisory emphasized ZTA gateways cannot be exploited when in production, but risks remain.

"If a gateway for this solution is generated and left unconnected to a ZTA controller, then there is a risk of exploitation on the generated gateway. Ivanti Neurons for Secure Access is not vulnerable to these CVEs; however, the gateways being managed are independently vulnerable to these CVEs," Ivanti wrote in the security advisory.

In addition to crediting Volexity in the security advisory, Ivanti also applauded Mandiant for "their continued partnership." Mitigations and workarounds are currently available, but the first round of patches will not be available until the week of Jan. 22. A final version will be released beginning Feb. 19.

"It is critical that you immediately take action to ensure you are fully protected," the security advisory said, while featuring a link to a knowledge base article with mitigations and workarounds.

Update: In a blog post updated Thursday evening, Mandiant said the threat actor used malicious web shells, dubbed Lightwire and Wirefire, to create backdoors and maintain persistent access to the ICS devices. Based on post-exploitation activity, Mandiant warned that the threat actor it tracks as UNC5221 anticipated the release of patches. UNC5221 deployed Lightwire and Wirefire for continued access, but the web shells were just two of five malware families used in the attacks, some of which enable authentication bypasses.

"This indicates that these are not opportunistic attacks, and UNC5221 intended to maintain its presence on a subset of high priority targets that it compromised after a patch was inevitably released," Mandiant wrote in the blog post.

Satnam Narang, senior staff research engineer at Tenable, said he is most concerned with the lack of patches and the anticipated wait time of several weeks. He also addressed the recent targeting of other Ivanti products. Over the summer, Ivanti patched three critical zero-day vulnerabilities that were under active exploitation just one month apart, signaling that attackers will likely take notice.

"As soon as a proof of concept is available for this exploit chain, we expect malicious activity to spike, especially based on historical activity targeting these products," Narang said in an email to TechTarget Editorial. "Mitigations are available, but there's no 'easy button' as it's all on the end user to know about the existence of these vulnerabilities and know how to apply the mitigations."

Updated on 1/12/2024.

Arielle Waldman is a Boston-based reporter covering enterprise security news.

Next Steps

More Ivanti vulnerabilities exploited in the wild

Dig Deeper on Threats and vulnerabilities