Global Impact (at time of dissemination)
• 23,240 Connect Secure publicly-facing hosts worldwide
• 100 of these hosts have ICS/SCADA capabilities
• 120+ of these hosts have database capabilities
Top affected countries:
1. US
2. Japan
3. Germany
4. UK
5. France
Summary
Censys is aware that on April 2, 2024, Ivanti released the following four vulnerabilities affecting “all supported versions” of its Connect Secure and related Policy Secure products:
CVE-2024-21894 (Heap Overflow)
CVE-2024-22052 (Null Pointer Dereference)
CVE-2024-22053 (Heap Overflow)
CVE-2024-22023 (XML entity expansion or XXE).
Asset Descriptions
Connect Secure is a “VPN solution for remote and mobile users from any web-enabled device to corporate resources.”
Policy Secure “(IPS) is a network access control (NAC) solution which provides network access only to authorized and secured users and devices.”
Impact
The combined or even separate affects of the exploitation of the following vulnerabilities by adversaries would likely disrupt a customer organization’s secure remote access capabilities via Connect Secure and create problems for employees accessing enterprise services via the Policy Secure product. The magnitude of the effects of such attacks would depend on how heavily an organization relied on these two products for other assets and operations throughout their enterprise.
CVE-2024-21894’s heap overflow vulnerability allows an unauthenticated attacker to send requests to crash the assets thereby causing a DoS attack and may also lead to execution of arbitrary code.
CVE-2024-22052’s null pointer dereference vulnerability allows an unauthenticated attacker to attempt the same DoS attack.
CVE-2024-22053’s heap overflow vulnerability allows an unauthenticated attacker to attempt the same DoS attack or, in certain conditions, read contents from memory.
CVE-2024-22023’s XML entity expansion vulnerability allows an unauthenticated attacker to temporarily cause resource exhaustion thereby resulting in a limited-time DoS.
Affected Assets
According to Ivanti, this issue affects all supported versions of Connect Secure and Policy Secure Gateways – “Version 9.x and 22.x.”
Censys’ Rapid Response Team was able to identify Ivanti Connect Secure assets. Since Ivanti Policy Secure assets are assets that work with Connect Secure assets from behind network perimeters, Censys recommends looking internally for these assets. Below are queries that will accurately uncover Connect Secure that are publicly-facing, affected by the aforementioned vulnerabilities, and recently observed from our scans.
Censys ASM Risk Name for Potentially Vulnerable Devices
“Vulnerable Ivanti Connect Secure Application [CVE-2024-21894, CVE-2024-22052, CVE-2024-22053, CVE-2024-22023]”
Censys ASM customers will see this risk applied to affected assets in their workspaces. Those that have signed up for Rapid Response Automated Risk Alerting will be contacted directly regarding affected assets.
Censys ASM Query for Exposed Assets.
This query is shared for customers who wish to refine or alter versioning for customized operations.
Censys Search Query
services.software: (vendor: “Ivanti” and product: “Connect Secure”)
Recommendations for remediation
from Ivanti state that “There is a patch available now for all supported versions of the product via the standard download portal. We strongly encourage customers to act immediately to ensure they are fully protected.
Patch versions:
Ivanti Connect Secure: 22.1R6.2, 22.2R4.2, 22.3R1.2, 22.4R1.2, 22.4R2.4, 22.5R1.3, 22.5R2.4, 22.6R2.3, 9.1R14.6, 9.1R15.4, 9.1R16.4, 9.1R17.4 and 9.1R18.5.
Ivanti Policy Secure: 22.4R1.2, 22.5R1.3, 22.6R1.2, 9.1R16.4, 9.1R17.4 and 9.1R18.5.”
If you need assistance in positively identifying these assets, please let us know.
