Hackers Beware: CISA Clamps Down on Ivanti Security Flaws

In an urgent “off-and-patch” memo, CISA tells US agencies to sideline Ivanti gear faster than a clown at a rodeo, thanks to pesky hackers exploiting vulnerabilities. It’s patching season, folks—no connection until the coast is clear! 🛠️🚨 #IvantiSecurityScramble

Hot Take:

Looks like Ivanti’s New Year’s Resolution to avoid making headlines has already gone the way of my gym membership—abandoned faster than you can say “critical vulnerabilities”. CISA’s basically turned into that overbearing parent who won’t let the kids touch the cookie jar until they’ve proven they won’t make a mess. Spoiler alert: the jar is the internet and the cookies are the government agencies’ network security. Let the digital diet commence!

Key Points:

  • US Government agencies have been instructed to give Ivanti Connect Secure and Ivanti Policy Secure the cold shoulder until they’re patched and hacker-free.
  • This digital timeout was issued by CISA, who’s playing the role of cybersecurity hall monitor with Emergency Directive 24-01.
  • While Ivanti patched two critical boo-boos (CVE-2023-46805 & CVE-2024-21887), CISA spotted the bad guys already having a field day with them.
  • Agencies must now do the IT equivalent of spring cleaning, which includes everything from threat hunting to performing a factory reset.
  • There’s a digital roll call with CISA due by February 5, and over 22,000 Ivanti ICS VPNs are out there flashing their vulnerabilities like neon signs.
Cve id: CVE-2024-21887
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 01/12/2024
Cve description: A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Cve id: CVE-2023-46805
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 01/12/2024
Cve description: An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

Need to know more?

Cleaning Up the Gear

January's been a wild ride for Ivanti, and not the good kind where you end up at Disneyland. They kicked off 2024 by playing Whack-A-Mole with a couple of critical security flaws that let hackers treat government networks like their own personal playground. Ivanti was quick to slap some patches on these, but CISA's got trust issues and now wants federal agencies to treat Ivanti products like they're radioactive until they're sure everything's squeaky clean.

Attack of the Cyber Boogeymen

CISA's not just being paranoid; they've seen the monsters under the bed—or more accurately, the hackers in the network. There's been a spike in cyber mischief since January 11, and CISA's basically telling everyone to batten down the hatches. They're doling out a cybersecurity checklist that feels like a boot camp for government IT departments to get back into Ivanti's good graces.

The Great Digital Detox

So, what's on the agenda for these agencies? They've got to go all Marie Kondo on their networks, hunting threats, monitoring who's swiping right on authentication services, and giving privileged accounts a stern talking-to. If they want to cuddle up with Ivanti's services again, they've got to undergo a full system detox—factory reset, software updates, and all. Plus, they've got homework due to CISA by February 5. No pressure.

Hide and Seek with VPNs

Meanwhile, there are more than 22,000 Ivanti ICS VPNs out in the wild, practically streaking through cyberspace with their vulnerabilities on full display. Almost 400 Ivanti VPN devices are also reportedly at risk, potentially turning into hacker playgrounds if left unchecked. It's like a game of hide and seek where nobody's hiding and the seekers are armed with exploits.

So there you have it, folks. The digital realm's got more drama than a reality TV show, and Ivanti's playing the lead role this season. As we wait to see if the government agencies can get their act together, here's to hoping that the next cybersecurity directive is more "routine check-up" and less "ER visit".

Tags: authentication services, CVE-2023-46805, CVE-2024-21887, Government cybersecurity, Ivanti vulnerabilities, Network Security, threat hunting