iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
US cyber security body CISA releases an emergency directive concerning Ivanti Connect Secure and Ivanti Policy Secure bugs.
The US Cybersecurity and Infrastructure Security Agency (CISA) has released an emergency directive requiring all federal civilian executive branch agencies to upgrade immediately to mitigate a pair of critical vulnerabilities in Ivanti networking products.
CISA gave government agencies a 22 January deadline to download a series of fixes from Ivanti’s download portal and to report any indicators of compromise.
Further updates are to be applied as they become available, and agencies are expected to report to CISA a “complete inventory of all instances of Ivanti Connect Secure and Ivanti Policy Secure products on agency networks, including details on actions taken and results”.
The two vulnerabilities were first reported last week.
CVE-2023-46805 is an authentication bypass vulnerability in earlier versions of Ivanti Connect Secure and Ivanti Policy Secure. This flaw lets a remote attacker bypass control checks and access restricted resources, while CVE-2024-21887 is a command injection vulnerability in Ivanti Connect Secure and Ivanti Policy Secure. This vulnerability lets an authenticated administrator send requests to and execute arbitrary commands on the device and can be exploited remotely via the internet.
The Australian Cyber Security Centre (ACSC) released its own critical alert over the flaws on 12 January, but CISA is now reporting that threat actors are actively taking advantage of the bugs at scale.
“CISA has determined these conditions pose an unacceptable risk to federal civilian executive branch (FCEB) agencies and require emergency action,” CISA said in its alert.
“This determination is based on widespread exploitation of vulnerabilities by multiple threat actors, the prevalence of the affected products in the federal enterprise, the high potential for a compromise of agency information systems, the impact of a successful compromise, and the complexity of the proposed mitigations.”
According to security researchers at Rapid7, the number of affected devices varies, but a Shodan scan for just public-facing devices shows at least 7,000 machines, while scanning for the Ivanti welcome pages doubles that figure – although that figure is likely less accurate.
Regardless, the hard deadline for US agencies to deal with the pair of bugs suggests any other organisation using Ivanti’s software should follow suit.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
