<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:150827312;
mso-list-template-ids:645028800;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:414596632;
mso-list-template-ids:-1640174624;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2
{mso-list-id:675112217;
mso-list-template-ids:1572093628;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3
{mso-list-id:879977933;
mso-list-type:hybrid;
mso-list-template-ids:-1586354610 794186876 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l3:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman";}
@list l3:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l3:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l3:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l3:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l3:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l4
{mso-list-id:1264722383;
mso-list-template-ids:1532238456;}
@list l4:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l4:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l4:level3
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l4:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l4:level5
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l4:level6
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l4:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l4:level8
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l4:level9
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l5
{mso-list-id:1496217853;
mso-list-type:hybrid;
mso-list-template-ids:1152963076 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l5:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l5:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l5:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l5:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l5:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l5:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l5:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l5:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l5:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l6
{mso-list-id:1664965798;
mso-list-template-ids:136859296;}
@list l6:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l6:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l6:level3
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l6:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l6:level5
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l6:level6
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l6:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l6:level8
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l6:level9
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><a name="_Hlk122600425">Good afternoon,<o:p></o:p></a></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><span style="mso-ligatures:none"><o:p> </o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><span style="color:red">The previous alert has been updated. Updated information has been added in red.<o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">The SOC Services team is reporting on the vulnerability:
<b><i>CVE-2024-21887 & CVE-2023-46805 Ivanti Connect Secure and Policy Secure Command Injection & Authentication Bypass</i></b>.
<span style="color:red">Two additional vulnerabilities were also disclosed: <b><i>CVE-2024-21888 & CVE-2024-21893 Privilege Escalation for Ivanti Connect Secure and Ivanti Policy Secure</i></b></span>. Due to its high visibility and active exploitations, we
are providing this in-depth information:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><b><u>History</u></b>: On January 10, 2024 Ivanti published mitigation guidance around two vulnerabilities for Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure and Policy Secure
gateways). CVE-2024-21887 is a command injection vulnerability and is currently assigned a CVSSv3 rating of 9.1 (Critical), while CVE-2023-46805 is an authentication bypass vulnerability and is currently assigned a CVSSv3 rating of 8.2 (High). CVEs were
established on January 10, 2024 and CISA added the vulnerabilities to their list of Known Exploited Vulnerabilities on the same date.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><span style="color:red">On January 31, 2024 Ivanti published an additional security article disclosing two newly detected vulnerabilities in their ICS products. CVE-2024-21888 is a privilege escalation
vulnerability in web component of Ivanti Connect Secure and is currently assigned a CVSSv3 rating of 8.8 (High), while CVE-2024-21893 is a server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure and is currently assigned a
CVSSv3 rating of 8.2 (High). These CVEs were established on January 31, 2024, and CISA added CVE-2024-21893 to their list of Known Exploited Vulnerabilities on the same date.<o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">The following products are affected:<o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level1 lfo3"><span style="mso-bookmark:_Hlk122600425">Version 9.x<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level1 lfo3"><span style="mso-bookmark:_Hlk122600425">Version 22.x<o:p></o:p></span></li></ul>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><span style="color:red">Ivanti has released the following patches to address all known vulnerabilities:<o:p></o:p></span></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="color:red;margin-left:0in;mso-list:l3 level1 lfo3">
<span style="mso-bookmark:_Hlk122600425">Version 9.1R14.4<o:p></o:p></span></li><li class="MsoListParagraph" style="color:red;margin-left:0in;mso-list:l3 level1 lfo3">
<span style="mso-bookmark:_Hlk122600425">Version 9.1R17.2<o:p></o:p></span></li><li class="MsoListParagraph" style="color:red;margin-left:0in;mso-list:l3 level1 lfo3">
<span style="mso-bookmark:_Hlk122600425">Version 9.1R18.3<o:p></o:p></span></li><li class="MsoListParagraph" style="color:red;margin-left:0in;mso-list:l3 level1 lfo3">
<span style="mso-bookmark:_Hlk122600425">Version 22.4R2.2<o:p></o:p></span></li><li class="MsoListParagraph" style="color:red;margin-left:0in;mso-list:l3 level1 lfo3">
<span style="mso-bookmark:_Hlk122600425">Version 22.5R1.1<o:p></o:p></span></li><li class="MsoListParagraph" style="color:red;margin-left:0in;mso-list:l3 level1 lfo3">
<span style="mso-bookmark:_Hlk122600425">ZTA Version 22.6R1.3<o:p></o:p></span></li></ul>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><span style="color:red"><o:p> </o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><span style="color:red">Ivanti reports that remaining supported versions will be patched in a staggered schedule.<o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">Further information is available from Ivanti as published in their security announcement:<o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level1 lfo3"><span style="mso-bookmark:_Hlk122600425">Ivanti Announcement on CVE-2024-21887 & CVE-2023-46805 –
</span><a href="https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US"><span style="mso-bookmark:_Hlk122600425">https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US</span><span style="mso-bookmark:_Hlk122600425"></span></a><span style="mso-bookmark:_Hlk122600425"><o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level1 lfo3"><span style="mso-bookmark:_Hlk122600425"><span style="color:red">Ivanti Security Article on CVE-2024-21888 & CVE-2024-21893</span></span><span style="mso-bookmark:_Hlk122600425"> -
</span><a href="https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US"><span style="mso-bookmark:_Hlk122600425">https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US</span><span style="mso-bookmark:_Hlk122600425"></span></a><span style="mso-bookmark:_Hlk122600425">
<o:p></o:p></span></li></ul>
<p class="MsoListParagraph"><span style="mso-bookmark:_Hlk122600425"><span style="background:yellow;mso-highlight:yellow"><o:p> </o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><b><u>Intelligence</u></b>:
<span style="color:red">As of January 31, 2024, Ivanti and CISA are aware that CVE-2024-21893 has had targeted exploitation, while CVE-2024-2188 and CVE-2023-46805 have had widespread exploitation.</span> It is very likely that these exploits will continue
to be leveraged by threat actors over the coming months.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><b><u>Workarounds:</u></b>
<span style="color:red">Ivanti has provided mitigation information for cases where a patch cannot be applied, however patching is strongly recommended. If a customer has applied the patch, no mitigation steps are needed.<o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">Instead of applying the provided patch, Ivanti recommends that critical mitigation measures be taken, including the following:<o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level1 lfo3"><span style="mso-bookmark:_Hlk122600425">Import the configuration file provide by Ivanti’s download portal “mitigation.release.20240107.1.xml”<o:p></o:p></span></li><ul style="margin-top:0in" type="circle">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level2 lfo3"><span style="mso-bookmark:_Hlk122600425">This may impact or degrade features of Ivanti Connect Secure and Ivanti Policy Secure.<o:p></o:p></span></li></ul>
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level1 lfo3"><span style="mso-bookmark:_Hlk122600425">Run the external integrity checker in addition to continuous monitoring.<o:p></o:p></span></li></ul>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">Further information about mitigation steps can be found in Ivanti’s KB article -
</span><a href="https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US"><span style="mso-bookmark:_Hlk122600425">https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US</span><span style="mso-bookmark:_Hlk122600425"></span></a><span style="mso-bookmark:_Hlk122600425"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><b><u><span style="background:yellow;mso-highlight:yellow"><o:p><span style="text-decoration:none"> </span></o:p></span></u></b></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><b><u>How it works</u></b>: At this time, little public information has been published by Ivanti. However, attacks have been observed using both CVEs. CVE-2023-46805 can allow an attacker to bypass
authentication and gain access to restricted resources by bypassing control checks. CVE-2024-21887 can allow an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. However, if used in conjunction
together, CVE-2024-21887 does not require authentication. </span><span style="mso-bookmark:_Hlk122600425"><span style="color:red">CVE-2024-21893 can allow an unauthenticated attacker to achieve privilege escalation and gain access to restricted resources.</span></span><span style="mso-bookmark:_Hlk122600425"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><span style="background:yellow;mso-highlight:yellow"><o:p> </o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><b><u>Post-Exploit</u></b>: Upon successful exploitation of the vulnerabilities, attackers have been observed placing webshells on internal and external facing web servers, wiping and disabling ICS
VPN logs, modifying ICS components to evade ICS integrity checks, backdooring a legitimate CGI file to allow command execution, and modifying a JS file used by the Web SSL VPN component as a means to exfiltrate user credentials. After exfiltration, attackers
were then observed to gain access to systems on the network.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425">The following IOCs have been provided:<o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level1 lfo3"><span style="mso-bookmark:_Hlk122600425">Network traffic from ICS VPN appliances:<o:p></o:p></span></li><ul style="margin-top:0in" type="circle">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level2 lfo3"><span style="mso-bookmark:_Hlk122600425">Outbound connections via curl to IP Geolocation service ip-api[.]com and to Cloudflare (1.1.1.1)<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level2 lfo3"><span style="mso-bookmark:_Hlk122600425">Reverse SOCKS proxy and SSH tunnel connections through Cyberoam appliances with download.<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level2 lfo3"><span style="mso-bookmark:_Hlk122600425">Reconnaissance of internal websites through proxied connections.<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level2 lfo3"><span style="mso-bookmark:_Hlk122600425">Lateral movement using compromised credentials to connect to internal systems via RDP, SMB, and SSH.<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level2 lfo3"><span style="mso-bookmark:_Hlk122600425">Transfer of multiple webshell variants to internet-accessible web servers and systems that were only internally accessible.<o:p></o:p></span></li></ul>
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level1 lfo3"><span style="mso-bookmark:_Hlk122600425">Suspected domains and IP addresses:<o:p></o:p></span></li><ul style="margin-top:0in" type="circle">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level2 lfo3"><span style="mso-bookmark:_Hlk122600425">206.189.208.156<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level2 lfo3"><span style="mso-bookmark:_Hlk122600425">gpoaccess[.]com<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level2 lfo3"><span style="mso-bookmark:_Hlk122600425">webb-institute[.]com<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level2 lfo3"><span style="mso-bookmark:_Hlk122600425">symantke[.]com<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level2 lfo3"><span style="mso-bookmark:_Hlk122600425">75.145.243.85<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level2 lfo3"><span style="mso-bookmark:_Hlk122600425">47.207.9.89<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level2 lfo3"><span style="mso-bookmark:_Hlk122600425">98.160.48.170<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level2 lfo3"><span style="mso-bookmark:_Hlk122600425">173.220.106.166<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level2 lfo3"><span style="mso-bookmark:_Hlk122600425">73.128.178.221<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level2 lfo3"><span style="mso-bookmark:_Hlk122600425">50.243.177.161<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level2 lfo3"><span style="mso-bookmark:_Hlk122600425">50.213.208.89<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level2 lfo3"><span style="mso-bookmark:_Hlk122600425">64.24.179.210<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level2 lfo3"><span style="mso-bookmark:_Hlk122600425">75.145.224.109<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level2 lfo3"><span style="mso-bookmark:_Hlk122600425">50.215.39.49<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level2 lfo3"><span style="mso-bookmark:_Hlk122600425">71.127.149.194<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level2 lfo3"><span style="mso-bookmark:_Hlk122600425">173.53.43.7<o:p></o:p></span></li></ul>
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level1 lfo3"><span style="mso-bookmark:_Hlk122600425">Modifications to the following files on the appliance:<o:p></o:p></span></li><ul style="margin-top:0in" type="circle">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level2 lfo3"><span style="mso-bookmark:_Hlk122600425">/home/perl/DSLogConfig.pm<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level2 lfo3"><span style="mso-bookmark:_Hlk122600425">/home/etc/sql/dsserver/sessionserver.pl<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level2 lfo3"><span style="mso-bookmark:_Hlk122600425">/home/etc/sql/dsserver/sessionserver.sh<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level2 lfo3"><span style="mso-bookmark:_Hlk122600425">/home/webserver/htdocs/dana-na/auth/compcheckresult.cgi<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level2 lfo3"><span style="mso-bookmark:_Hlk122600425">/home/webserver/htdocs/dana-na/auth/lastauthserverused.js<o:p></o:p></span></li></ul>
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level1 lfo3"><span style="mso-bookmark:_Hlk122600425">Creation and execution of the following files from the /tmp/ directory:<o:p></o:p></span></li><ul style="margin-top:0in" type="circle">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level2 lfo3"><span style="mso-bookmark:_Hlk122600425">/tmp/rev<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level2 lfo3"><span style="mso-bookmark:_Hlk122600425">/tmp/s.py<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level2 lfo3"><span style="mso-bookmark:_Hlk122600425">/tmp/s.jar<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level2 lfo3"><span style="mso-bookmark:_Hlk122600425">/tmp/b<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level2 lfo3"><span style="mso-bookmark:_Hlk122600425">/tmp/kill<o:p></o:p></span></li></ul>
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level1 lfo3"><span style="mso-bookmark:_Hlk122600425">Deployment of malware and utilizing living off the land techniques.<o:p></o:p></span></li></ul>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><span style="background:yellow;mso-highlight:yellow"><o:p> </o:p></span></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="mso-bookmark:_Hlk122600425">As of
<span style="color:red">January 27</span>, 2024, the following vulnerability plugins have been released and are currently in Tenable Security Center:<o:p></o:p></span></p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" style="border-collapse:collapse">
<tbody>
<tr>
<td width="119" valign="top" style="width:89.5pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal" align="center" style="text-align:center"><span style="mso-bookmark:_Hlk122600425"><b><u>Plugin<o:p></o:p></u></b></span></p>
</td>
<span style="mso-bookmark:_Hlk122600425"></span>
<td width="672" valign="top" style="width:7.0in;border:solid windowtext 1.0pt;border-left:none;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal" align="center" style="text-align:center"><span style="mso-bookmark:_Hlk122600425"><b><u>Title<o:p></o:p></u></b></span></p>
</td>
<span style="mso-bookmark:_Hlk122600425"></span>
<td width="120" valign="top" style="width:90.2pt;border:solid windowtext 1.0pt;border-left:none;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal" align="center" style="text-align:center"><span style="mso-bookmark:_Hlk122600425"><b><u>Severity<o:p></o:p></u></b></span></p>
</td>
<span style="mso-bookmark:_Hlk122600425"></span>
</tr>
<tr>
<td width="119" valign="top" style="width:89.5pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal" align="center" style="text-align:center"><span style="mso-bookmark:_Hlk122600425"></span><a href="https://www.tenable.com/plugins/nessus/187908"><span style="mso-bookmark:_Hlk122600425">187908</span><span style="mso-bookmark:_Hlk122600425"></span></a><span style="mso-bookmark:_Hlk122600425"><o:p></o:p></span></p>
</td>
<span style="mso-bookmark:_Hlk122600425"></span>
<td width="672" valign="top" style="width:7.0in;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><b>Ivanti Connect Secure 9.x / 22.x Multiple Vulnerabilities (CVE-2023-46805 and CVE-2024-21887)<o:p></o:p></b></span></p>
</td>
<span style="mso-bookmark:_Hlk122600425"></span>
<td width="120" valign="top" style="width:90.2pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal" align="center" style="text-align:center"><span style="mso-bookmark:_Hlk122600425">Critical<o:p></o:p></span></p>
</td>
<span style="mso-bookmark:_Hlk122600425"></span>
</tr>
<tr>
<td width="119" valign="top" style="width:89.5pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal" align="center" style="text-align:center"><span style="mso-bookmark:_Hlk122600425"></span><a href="https://www.tenable.com/plugins/was/114165"><span style="mso-bookmark:_Hlk122600425">114165</span><span style="mso-bookmark:_Hlk122600425"></span></a><span style="mso-bookmark:_Hlk122600425"><o:p></o:p></span></p>
</td>
<span style="mso-bookmark:_Hlk122600425"></span>
<td width="672" valign="top" style="width:7.0in;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><b><span style="color:red">Ivanti Pulse Connect Secure 9.x / 22.x Authentication Bypass<o:p></o:p></span></b></span></p>
</td>
<span style="mso-bookmark:_Hlk122600425"></span>
<td width="120" valign="top" style="width:90.2pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal" align="center" style="text-align:center"><span style="mso-bookmark:_Hlk122600425"><span style="color:red">Critical<o:p></o:p></span></span></p>
</td>
<span style="mso-bookmark:_Hlk122600425"></span>
</tr>
<tr>
<td width="119" valign="top" style="width:89.5pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt">
<span style="mso-bookmark:_Hlk122600425"></span></td>
<span style="mso-bookmark:_Hlk122600425"></span>
<td width="672" valign="top" style="width:7.0in;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<span style="mso-bookmark:_Hlk122600425"></span></td>
<span style="mso-bookmark:_Hlk122600425"></span>
<td width="120" valign="top" style="width:90.2pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<span style="mso-bookmark:_Hlk122600425"></span></td>
<span style="mso-bookmark:_Hlk122600425"></span>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"><b><u>Recommended Actions</u></b>:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_Hlk122600425"> <o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoNormal" style="mso-list:l5 level1 lfo9"><span style="mso-bookmark:_Hlk122600425">Review logs for unexpected or anomalous activity.<o:p></o:p></span></li><li class="MsoNormal" style="mso-list:l5 level1 lfo9"><span style="mso-bookmark:_Hlk122600425">Scan environments using provided Tenable Nessus plugins.<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l5 level1 lfo9"><span style="mso-bookmark:_Hlk122600425">Apply patches provided by vendor to vulnerable systems upon release and immediately after appropriate testing.<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l5 level1 lfo9"><span style="mso-bookmark:_Hlk122600425">Apply mitigations where needed as provided by vendor to vulnerable systems immediately after appropriate testing.<o:p></o:p></span></li><li class="MsoNormal" style="mso-list:l5 level1 lfo9"><span style="mso-bookmark:_Hlk122600425">Apply the Principle of Least Privilege to all systems and services.</span><o:p></o:p></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="702" style="width:526.5pt;border-collapse:collapse">
<tbody>
<tr style="height:63.0pt">
<td width="118" valign="top" style="width:88.35pt;padding:0in 4.65pt 0in 4.65pt;height:63.0pt">
<p class="MsoNormal" style="line-height:105%"><span style="color:#1F497D;mso-ligatures:none"><img border="0" width="121" height="87" style="width:1.2638in;height:.9097in" id="Picture_x0020_4" src="cid:image001.png@01DA5453.ABD5B860"></span><span style="color:#1F497D;mso-ligatures:none"><o:p></o:p></span></p>
</td>
<td width="493" valign="top" style="width:369.65pt;padding:0in 4.65pt 0in 4.65pt;height:63.0pt">
<p class="MsoNormal" style="line-height:105%"><b><span style="mso-ligatures:none">Cyber Security Services<o:p></o:p></span></b></p>
<p class="MsoNormal" style="line-height:105%"><span style="mso-ligatures:none">State of Oregon Cyber Security Services<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:105%"><span style="mso-ligatures:none">Enterprise Information Services | SOC<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:105%"><span style="mso-ligatures:none">Cyber Security Services (CSS)<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:105%"><span style="mso-ligatures:none">SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378<span style="color:#1F497D"><o:p></o:p></span></span></p>
</td>
</tr>
<tr>
<td width="611" colspan="2" valign="top" style="width:458.05pt;padding:0in 4.65pt 0in 4.65pt">
<p class="MsoNormal" style="line-height:105%"><i><span style="color:#2E74B5;mso-ligatures:none">“Ensuring user-friendly, reliable and secure state technology systems that serve Oregonians.”<o:p></o:p></span></i></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</body>
</html>