Ivanti Discloses New Flaw in Policy Secure, Connect Secure VPN

A new vulnerability has been disclosed in certain versions of Ivanti’s Connect Secure VPN and Ivanti Policy Secure appliances.

This latest flaw (CVE-2024-22024), described by Ivanti as an XML external entity or XXE flaw, stems from the SAML component of Connect Secure, Ivanti Policy Secure and ZTA gateways. If exploited, the flaw could enable an attacker to access certain restricted resources without authentication.

“A patch is available now for Ivanti Connect Secure (versions 9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3 and 22.6R2.2), Ivanti Policy Secure (versions 9.1R17.3, 9.1R18.4 and 22.5R1.2) and ZTA gateways (versions 22.5R1.6, 22.6R1.5 and 22.6R1.7),” according to Ivanti in an advisory on Thursday.

Ivanti said “we have no evidence of any customers being exploited by CVE-2024-22024,” although there are reports emerging on Twitter that the flaw is under active exploitation. “As part of the ongoing investigation, we discovered a new vulnerability as part of our internal review and testing of our code, which was also responsibly disclosed by watchTowr,” according to Ivanti.

A limited number of supported versions are impacted, including Connect Secure versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1 and Policy Secure version 22.5R1.1 and ZTA version 22.6R1.3. The company said that a mitigation provided on Jan. 31 for existing flaws is effective at blocking the vulnerable endpoint.

That mitigation is available now via the standard download portal, and Ivanti told customers that “it is critical that you immediately take action to ensure you are fully protected.”

The newest flaw comes as Ivanti continues to grapple with fallout from two vulnerabilities previously disclosed last month in Connect Secure and Policy Secure, CVE-2024-21887 and CVE-2023-46805, which have been widely exploited by threat actors and also led to an emergency directive by the U.S. government ordering federal agencies to temporarily disconnect all instances of the appliances from agency networks, perform a factory reset and then rebuild and upgrade them.

The investigation around CVE-2024-21887 and CVE-2023-46805 has also led to the discovery of other issues in various components of Connect Secure and Policy Secure, including a privilege escalation bug (CVE-2024-21888) and a server-side request forgery bug that gives threat actors access to “certain restricted resources” without authentication (CVE-2024-21893). That latter flaw is now being actively exploited in the wild, researchers have pointed out.

For this week’s latest flaw (CVE-2024-22024), Ivanti said that “customers who applied the patch released on 31 January or 1 February, and completed a factory reset of their appliance, do not need to factory reset their appliances again.”

“CVE-2024-22024 only applies to a limited number of versions,” said Ivanti. “However, all customers using Ivanti Connect Secure and Ivanti Policy Secure should promptly apply the patch for their supported version, when available, regardless of whether they installed prior patches from 31 January and 1 February, as the patch resolves all previously disclosed vulnerabilities.”

Go to Source