Context
The NCSC is encouraging organisations to take immediate action to mitigate vulnerabilities affecting Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) gateways (CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893), and follow the latest vendor advice.
Key points to note and next actions
The NCSC informs that Ivanti has published an updated advisory detailing four vulnerabilities affecting Connect Secure and Policy Secure gateways.
Ivanti is aware of active exploitation of some of these vulnerabilities.
- CVE-2023-46085 — an authentication bypass vulnerability in the web component of ICS (9.x, 22.x) and IPS which allows a remote attacker to access restricted resources by bypassing control checks.
- CVE-2024-21887 — a command injection vulnerability in web components of ICS (9.x, 22.x) and IPS which allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
- If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation doesn’t require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system.
- CVE-2024-21888 — a privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator.
- CVE-2024-21893 — a server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.
The NCSC will continue to monitor for any impact of these vulnerabilities on UK organisations.