Ivanti has rolled out security updates to patch a slew of vulnerabilities affecting its Connect Secure and Policy Secure products.
Security updates cover four vulnerabilities, including a high-risk flaw (CVE-2024-21894) that can be abused for remote code execution. The vulnerability exists due to a boundary error within the IPSec component. A remote attacker can send specially crafted packets to the device, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
The three other bugs (CVE-2024-22052, CVE-2024-22053, CVE-2024-22023) are deemed medium risk, and could be exploited by a remote attacker to trigger a denia-of-service (DoS) condition.
The flaws impact Ivanti Connect Secure (formerly Pulse Connect Secure) v9.0R1 - 22.6R2.2, and Ivanti Policy Secure (formerly Pulse Policy Secure) v9.0R1 - 22.6.
Ivanti said that it is “not aware of any customers being exploited by these vulnerabilities at the time of disclosure.”
In January 2024, a China-linked state-backed threat actor was caught exploiting two zero-day vulnerabilities in the Ivanti Connect Secure VPN product to place web shells on corporate servers. Since then, multiple threat actors have been observed weaponizing Ivanti flaws to deploy malware.
In February 2024, the US Cybersecurity and Infrastructure Security Agency (CISA) released a security advisory warning of ongoing exploitation of Ivanti product vulnerabilities (CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893). Ironically, the agency itself had fallen victim to a cyberattack that exploited vulnerabilities in Ivanti products. The breach impacted two critical systems within CISA's infrastructure, prompting immediate action to take them offline. A few weeks later, CISA admitted that the attack potentially compromised the data of more than 100,000 individuals.