Ivanti VPN Vulnerability Fiesta: Hackers Gatecrash with New Exploit Wave!

VPN-pocalypse Now: Ivanti’s Connect Secure hit by hackers exploiting a fresh vulnerability faster than you can say ‘change your password.'” Focus keyphrase: “mass exploiting.

Hot Take:

Looks like Ivanti needs to change its slogan to “Connect Securely—Terms and Conditions May Apply.” Seems their VPN is more like a Very Punctured Network, with hackers treating these vulnerabilities like an all-you-can-eat buffet. And just when you thought your digital fort had enough moats, the hackers bring jet skis.

Key Points:

  • Ivanti’s VPN appliance, Connect Secure, is under siege again with a third vulnerability, CVE-2024-21893, now part of the hacker’s party playlist.
  • Over 40,000 Ivanti customers—including the who’s who of universities, healthcare, and banks—might need to rethink their “bring your own device” policy.
  • The plot thickens with over 630 unique IPs seen doing the exploit shuffle, a significant jump from the 170 figure last week.
  • Shadowserver’s got its eye on approximately 20,800 Ivanti devices still strutting their stuff on the internet stage, vulnerability status: It’s complicated.
  • While Ivanti has been patching holes faster than a sinking ship, the full fix-it flotilla hasn’t reached all customers yet.
Cve id: CVE-2024-21893
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 01/31/2024
Cve description: A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

Cve id: CVE-2023-46805
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 01/12/2024
Cve description: An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

Cve id: CVE-2024-21888
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 01/31/2024
Cve description: A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator.

Cve id: CVE-2024-21887
Cve state: PUBLISHED
Cve assigner short name: hackerone
Cve date updated: 01/12/2024
Cve description: A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Need to know more?

Exploit Encore

Just when Ivanti thought it was safe to go back into the network, CVE-2024-21893 drops the beat with a server-side request forgery flaw that's got hackers lining up like it's Black Friday. Despite Ivanti's best efforts to slap patches on the problem, the vulnerabilities are spreading like gossip in a high school hallway.

Unwelcome Party Crashers

Steven Adair, the cybersecurity equivalent of a storm chaser, points out that any unpatched device is as compromised as a politician's email password. Shadowserver Foundation's Piotr Kijewski, aka the internet's neighborhood watch coordinator, notes a spike in shady IP addresses poking around Ivanti's vulnerabilities like nosy neighbors.

Playing Whack-a-Mole with Patches

Ivanti's patching strategy seems to be a high-stakes game of whack-a-mole, prioritizing the biggest players first. It's like boarding a lifeboat on the Titanic based on your LinkedIn connections. And with no clear timeline on when all customers will get their digital life jackets, it's a race against the hacker clock.

Who Dunnit?

While the first two bugs had a made-in-China label, the masterminds behind the latest exploit extravaganza remain a mystery. Ivanti's keeping mum faster than a secret agent under interrogation, not commenting on the mass exploitation reports. They're as tight-lipped about this as a kid who broke a vase and blames the cat.

The Government Disconnect

The U.S. cybersecurity agency CISA isn't waiting for the credits to roll on this cyber-thriller. They've ordered federal agencies to cut the Ivanti cord faster than a teenager's allowance after a bad report card. With only two days to comply, it's a digital detox that no one signed up for.
Tags: China-backed hacking, CVE-2024-21893, Exploitation Monitoring, Ivanti vulnerabilities, Server-side Request Forgery, VPN security, vulnerability patching