A Brief Analysis of the Ivanti VPN Breach Affecting CISA

Introduction

In recent cybersecurity news, the Ivanti VPN breach has been a significant event. This breach has raised concerns about the security of VPNs and the potential risks they pose to organizations. Please read on for a breakdown of the Ivanti VPN breach, including how it was discovered, the potential organizational risks, and how to mitigate the vulnerabilities and defend against such attacks. But first, if you'd like a little background on the zero-day exploits and the vulnerabilities themselves, check out a previous TraceSecurity article by Information Security Analyst, Joshua Ivy, titled, Ivanti VPN Zero-Day Actively Exploited.

Discovery

The vulnerabilities, CVE-2023-46805 and CVE-2024-21887, were discovered through forensic analysis of collected memory samples by cyber security firm, Volexity. Two different zero-day exploits were identified which can be chained together to achieve unauthenticated remote code execution (RCE). There is also a third vulnerability at play, CVE-2024-21893. According to the National Institution of Standards and Technology, this is a server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and ZTA gateways which allows an attacker to access certain restricted resources without authentication.

The Breach

The Ivanti breach occurred when hackers exploited Ivanti's enterprise VPN devices. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed these vulnerabilities, as it was among the organizations that were compromised. In this instance, the impact was limited to two systems which were immediately taken offline. There is some speculation as to which two systems were affected but CISA has yet to confirm. Many other organizations are now collaborating on detection and mitigation. One such organization is the U.S. National Security Agency which is actively tracking these cyberattacks. A joint security advisory has been released identifying the three specific Connect Secure and Policy Secure vulnerabilities and announcing two very important findings: Due to its capability of being deceived, the Invanti Integrity Checker Tool is insufficient in detecting compromise. Also, even though a factory reset has been performed on an Ivanti device, attackers may still be able to gain persistence at the root level.

What Other Systems May Be at Risk?

Unfortunately, these vulnerabilities impact all supported versions (9.x, 22.x) of Ivanti Connect Secure and Ivanti Policy Secure gateways. This means that any organization using these products could potentially be at risk. Ivanti has released patches for certain versions which are available through their Connect Secure download portal.

Defend and Mitigate

To defend against these attacks, CISA and other agencies have recommended some important steps. These include limiting outbound internet connections from SSL VPN appliances, keeping all operating systems and firmware up to date, and limiting SSL VPN connections to unprivileged accounts. In addition to patches, Ivanti has released mitigation measures which include importing an XML file into affected products, thus making necessary reconfigurations. Furthermore, CISA has advised businesses to first run an external integrity checker tool to see if their endpoints were compromised (again, not the Ivanti integrity checker tool).

Conclusion

The Ivanti VPN breach serves as a stark reminder of the importance of robust cybersecurity measures. Organizations must stay vigilant, regularly update their systems, and employ comprehensive security strategies to protect against such threats. The discovery of new cyber threats will continue on, so we must always seek out and share information to help bolster our defenses.