Cyber Nightmare: Ivanti Appliances Resilient to Factory Resets, Hackers Maintain Root Control

Think your Ivanti’s got the cyber sniffles? CISA’s latest reveal is a sneeze-fest: hackers can root around post-factory reset! Tough cookies for Ivanti’s Integrity Checker, it’s outwitted by these digital Houdinis. Time for a cyber checkup! #CybersecuritySneakAttack

Hot Take:

Looks like hitting the “factory reset” button on your Ivanti appliance is about as effective as trying to fix your computer by giving it an encouraging pat on the back. CISA’s got the cybersecurity world buzzing like a hive of confused bees after revealing that attackers are playing hide-and-seek with Ivanti’s Integrity Checker Tool, and the game is rigged!

Key Points:

  • Attackers are maintaining root persistence on Ivanti appliances, even post-factory reset, using vulnerabilities with ratings from “this isn’t great” to “critical.”
  • Ivanti’s Integrity Checker Tool is missing the cybersecurity equivalent of Waldo, failing to spot compromises and giving the all-clear on infected systems.
  • CISA’s own lab tests confirm that Ivanti’s ICT might need a pair of glasses since it’s not enough to detect those pesky, persistent cyber squatters.
  • Ivanti’s official stance is akin to “Move along, nothing to see here,” but CISA is flashing warning signs like a lighthouse in a storm.
  • As a drastic cyber-hygiene measure, CISA advised federal agencies to disconnect, reset, rebuild, and rethink their life choices regarding Ivanti Connect Secure and Ivanti Policy Secure instances.
Cve id: CVE-2024-21887
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 01/12/2024
Cve description: A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Cve id: CVE-2024-21893
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 01/31/2024
Cve description: A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

Cve id: CVE-2024-22024
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 02/13/2024
Cve description: An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.

Cve id: CVE-2021-22893
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 04/23/2021
Cve description: Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. This vulnerability has been exploited in the wild.

Cve id: CVE-2023-46805
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 01/12/2024
Cve description: An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

Need to know more?

The Proof is in the Persistence

Imagine thinking you've booted unwanted guests out of your house, only to find them chilling in the basement with a new paint job and a fake mustache. That's what's happening with Ivanti's appliances. Despite what should be a clean slate post-reset, attackers are digging in their heels like a toddler who won't leave the playground. And to add insult to injury, Ivanti's ICT is giving these digital squatters a nod of approval, blissfully unaware of the chaos they're causing.

Can't See the Forest for the Trees

CISA rolled up their sleeves and went full CSI: Cyber, only to discover that the ICT couldn't spot a compromise if it was wearing neon signs. It's a classic case of "looks fine to me" until you realize your digital house is full of termites. The takeaway? Don't trust a tool that's more optimistic than a fortune cookie; get a second opinion, preferably from a human.

Trust Issues 101

Ivanti’s response to the advisory is like that friend who says they're "fine" when everything is clearly on fire around them. They assure us that the likelihood of persistence is as low as their detection rates. Meanwhile, CISA is waving red flags, suggesting that Ivanti customers might want to treat their devices like a sketchy tuna sandwich from a gas station: with a hefty side of suspicion.

Disconnect, Reset, Rebuild: The Federal Remix

CISA isn't just handing out advice; they're doling out orders. Federal agencies have been put on a cyber-detox, told to cut the cord on Ivanti devices faster than a teenager whose parents just discovered their phone bill. Once disconnected, agencies must go through a tech ritual: reset, rebuild, and pray to the cyber gods that all will be well. It's like a spa day for their network, minus the relaxation and cucumber water.

International Game of Hide-and-Seek

Just to twist the knife a bit more, let's not forget that nation-state actors were treating these vulnerabilities like a playground before everyone else jumped on the bandwagon. It's the cybersecurity equivalent of a VIP club, where the bouncer is a zero-day exploit and the music never stops. This digital drama is unfolding like an episode of a soap opera, with Ivanti appliances playing the role of the unsuspecting protagonist. Stay tuned for the next thrilling installment!

Final Word Count Confirmation

Validating the word count to ensure it meets the professional copywriting standards and the requested content length...

Tags: CVE-2023-46805, CVE-2024-21887, CVE-2024-21893, CVE-2024-22024, Federal Agency Security, Integrity Checker Tool, Ivanti vulnerabilities, Root Persistence