Beware the Illusion: Ivanti Gateways’ False Security Exposed by Global Spy Alliance

Beware: Cyber villains are outwitting Ivanti’s Integrity Checker Tool, with the Five Eyes sounding the alarm. Laugh in the face of danger? Not today—these flaws are no joke. #CybersecurityClash

Hot Take:

Oh, Ivanti, you sneaky fox, making a tool that’s supposed to sniff out the bad guys but instead plays a riveting game of hide-and-seek with malware! The Five Eyes are giving us the stink eye, telling us that even our shiny security tools might need a security blanket of their own. And just when you thought hitting the reset button was like taking a cybersecurity shower, turns out it’s more like spraying cologne after a workout—masking the problem but not quite eliminating it.

Key Points:

  • The Five Eyes alliance is giving us the cybersecurity equivalent of “I told you so,” warning about Ivanti’s security flaws being a playground for cyber crooks.
  • Ivanti’s Integrity Checker Tool is about as effective as a chocolate teapot, with malware like BUSHWALK playing hide-and-not-get-caught in the no-scan zones.
  • Factory resets are not the cyber panacea we hoped for; they’re more like hitting snooze on an alarm clock for root-level persistence.
  • Five vulnerabilities have been the cyber version of a red carpet, inviting uninvited guests to a malware party since January 2024.
  • Ivanti is playing catch-up by releasing a beefed-up version of ICT, promising a game of peekaboo with every file on the system.
Cve id: CVE-2024-21893
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 01/31/2024
Cve description: A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

Cve id: CVE-2024-22024
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 02/13/2024
Cve description: An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.

Cve id: CVE-2024-21887
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 01/12/2024
Cve description: A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Cve id: CVE-2024-21888
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 01/31/2024
Cve description: A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator.

Cve id: CVE-2023-46805
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 01/12/2024
Cve description: An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

Need to know more?

Hide and Seek Champions: Malware Edition

Picture this: You've got a security tool, the Ivanti Integrity Checker Tool, that's supposed to be the bouncer at the door, but instead, it's letting malware slip by in its blind spots. Mandiant caught onto this little masquerade when they found the malware BUSHWALK tucked away in a directory that's apparently "not it" when it comes to ICT's game of tag. It's like finding out the fox guarding the henhouse is actually best buds with the wolves.

The No-Scan Zone

Guess what? This isn't breaking news. Eclypsium already waved a big red flag earlier this month, saying ICT has a VIP list of directories it just won't touch. That's right, there's a dozen of them, and if you're malware, congratulations, you've got a backstage pass. It's like having a security camera system that only records when nothing's happening.

Press Reset? More Like Press Your Luck

If you thought that hitting the factory reset button is like getting a brand-new device, the Five Eyes would beg to differ. They're basically saying any sophisticated cyber baddie can turn your device into a sleeper agent, ready to wake up and wreak havoc whenever it fancies. It's the cybersecurity equivalent of thinking you've got rid of ants by sweeping them under the rug.

The Vulnerability Party

Let's have a roll call for the vulnerabilities that have been living it up at Ivanti's expense since the start of the year: CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, CVE-2024-21893, and CVE-2024-22024. These are not your average partygoers; they're the ones who overstay their welcome, raid the fridge, and leave a mess in the living room.

Ivanti's Counter-Move

In the red corner, we have Ivanti, coming out swinging with promises of a new and improved ICT. They're claiming they didn't even see any cyber thugs hanging around after their last security shindig (also known as updates and factory resets). The new ICT is supposed to be like having a personal guard for each file, making sure no malware dresses up in invisible cloaks.

Tags: advanced malware deployment, BUSHWALK malware, FVEY advisory, Ivanti Connect Secure, Ivanti Policy Secure, known vulnerabilities exploitation, root-level persistence