CISA issues emergency directive to FCEB agencies on Ivanti Connect Secure, Policy Secure vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published Friday an Emergency Directive that directs Federal Civilian Executive Branch (FCEB) agencies running Ivanti Connect Secure and Ivanti Policy Secure vulnerabilities. The agency has observed widespread and active exploitation of vulnerabilities across these products. Successful exploitation of the vulnerabilities in these affected products allows a malicious threat hacker to move laterally, perform data exfiltration, and establish persistent system access, resulting in full compromise of target information systems. 

The ED 24-01 ‘Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities’ advisory directs FCEB agencies to implement the mitigations, report indications of compromise to CISA, and remove compromised products from agency networks and follow the ED’s comprehensive instructions for restoring and bringing the products back into service. It also calls for the application of the updates to the products within 48 hours of Ivanti releasing the updates and providing CISA with a report that includes a complete inventory of all instances of Ivanti Connect Secure and Ivanti Policy Secure products on agency networks, and details on actions taken and results.

The emergency directive remains in effect until CISA determines that all agencies operating affected software have performed all required actions from this directive or the directive is terminated through other appropriate action. Although this directive is only for FCEB agencies, CISA encourages all organizations to address the vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure. 

CISA has determined conditions that pose an unacceptable risk to FCEB agencies and require emergency action. This determination is based on the widespread exploitation of vulnerabilities by multiple threat actors, the prevalence of the affected products in the federal enterprise, the high potential for a compromise of agency information systems, the impact of a successful compromise, and the complexity of the proposed mitigations. 

On Jan. 10, Ivanti disclosed information on the vulnerabilities in the affected products. The CVE-2023-46805 is a vulnerability found in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. This authentication bypass vulnerability allows a remote attacker to access restricted resources by bypassing control checks. 

The CVE-2024-21887 is a command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. This vulnerability, which can be exploited over the internet, allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the affected products.

When exploited in tandem, these vulnerabilities allow a malicious threat actor to execute arbitrary commands on a vulnerable product. Ivanti has released temporary mitigation through an XML file that can be imported into affected products to make necessary configuration changes until the permanent update is available.

The CISA directive requires agencies to implement Ivanti’s published mitigation immediately for the affected products to prevent future exploitation. As this initial action does not remedy an active or past compromise, agencies are also required to run Ivanti’s External Integrity Checker Tool and take additional steps if indications of compromise are detected. Furthermore, the required actions in this emergency directive align with requirements in CISA’s Binding Operational Directive 22-01 and do not conflict with any previous requirements.

FCEB agencies running Ivanti Connect Secure or Ivanti Policy Secure solutions are required to as soon as possible and no later than 11:59 pm EST on Monday, Jan. 22, 2024, download and import ‘mitigation[dot]release[dot]20240107[dot]1[dot]xml,’ via Ivanti’s download portal, into the affected product. They must also ensure a correct import and avoid service outages; immediately after importing the XML file, download and run Ivanti’s External Integrity Checker Tool, and running the External Integrity Checker Tool will reboot the affected product.

The emergency directive said that if indications of compromise are detected, then the FCEB agencies must immediately report indications of compromise to CISA through ‘[email protected].’ They must also remove compromised products from agency networks. Initiate incident analysis, preserve data from the compromised devices through the creation of forensic hard drive images, and hunt for indications of further compromise.

The guidance also stipulated that to bring a compromised product back into service, reset the device with the affected Ivanti solution software to factory default settings and download and import ‘mitigation[dot]release[dot]20240107[dot]1[dot]xml,’ via Ivanti’s download portal, into the affected product. Agencies must carefully follow Ivanti’s instructions to ensure a correct import and avoid service outages.

To fully restore a compromised product and bring it back into service, agencies are also required to follow Ivanti’s instructions and perform a couple of additional actions on all compromised products. These include revoking and reissuing any stored certificates, resetting the admin enable password, resetting stored API keys, and resetting the password of any local user defined on the gateway, including service accounts used for auth server configuration(s).

The emergency directive also laid down that FCEB agencies must apply updates that address the two vulnerabilities referenced in this directive to the affected products as they become available and no later than 48 hours following their release by Ivanti. One week after the issuance of this directive, they must report to CISA a complete inventory of all instances of Ivanti Connect Secure and Ivanti Policy Secure products on agency networks, including details on actions taken and results.

CISA will provide agencies with a template that will be used for reporting agency actions following the issuance of this directive. The agency will also continue efforts to identify instances and potential compromises associated with this threat activity, provide partner notifications, and will issue additional guidance and direction, as appropriate. CISA will provide technical assistance to agencies that need more internal capabilities to comply with this directive.

By June 1, this year, CISA will provide a report to the Secretary of Homeland Security, the National Cyber Director, the Office of Management and Budget (OMB) director, and the Federal Chief Information Security Officer identifying cross-agency status and outstanding issues.

In August, the CISA and the Norwegian National Cyber Security Centre (NCSC-NO) released a cybersecurity advisory in response to the active exploitation of CVE-2023-35078 and CVE-2023-35081 vulnerabilities. Between April and July last year, advanced persistent threat (APT) actors utilized a critical vulnerability in Ivanti Endpoint Manager Mobile (EPMM) as a zero-day exploit. This allowed them to extract data from several Norwegian organizations and compromise the network of a Norwegian government agency.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.