While the patches have been released, Ivanti users must rush to update their systems with the latest versions to avoid trouble. That’s because Ivanti addressed another serious vulnerability in Connect Secure VPN while the previously fixed issues went under attack.
Ivanti Vulnerability Fiasco Continues
Recently, Ivanti addressed another serious vulnerability affecting its Connect Secure, Policy Secure, and ZTA gateways.
According to its advisory, the firm detected the vulnerability while performing internal code testing, though, it seemingly caught the attention of another researcher with the alias “watchTowr” as well, who responsibly disclosed the flaw to Ivanti. Specifically, this vulnerability, CVE-2024-22024 (CVSS 8.3), affected the XML external entity (XXE) in the SAML component, allowing the attacker to access restricted resources without authentication.
Ivanti patched this vulnerability with the following product versions, assuring no active exploitation detections for the flaw.
- Ivanti Connect Secure versions 9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3 and 22.6R2.2). The patch is also available for versions 9.1R15.3, 9.1R16.3, 22.1R6.1, 22.2R4.1, 22.3R1.1, and 22.4R1.1.
- Ivanti Policy Secure versions 9.1R17.3, 9.1R18.4 and 22.5R1.2, as well as 9.1R16.3, 22.4R1.1 and 22.6R1.1.
- ZTA gateways versions 22.5R1.6, 22.6R1.5 and 22.6R1.7.
Shortly after this vulnerability fix, researchers detected active exploitation of another vulnerability Ivanti patched recently. According to the post from Orange Cyberdefense, they found the vulnerability CVE-2024-21893 under attack soon after the PoC release.
They observed the attacks (with limited targets) going on to deploy a new backdoor. Identified as ‘DSLog’ backdoor, the malware is inserted into the Perl file called ‘DSLog.pm,’ maliciously modifying the logging module. This allows the malware to evade detection while ensuring persistent access for the attacker. Details about this malicious campaign are available in the researchers’ post.
The researchers initially detected 670+ compromised assets in early scans, observing a slight drop in this number in the following days. Given that the threat continues to exist, the researchers urge all users to ensure updating their devices with the latest firmware releases. Moreover, they also advise users to factory reset their devices before applying the fix.
Let us know your thoughts in the comments.
