Risk:
| high |
Damage: |
|
Platform(s): |
Ivanti Products |
Advisory ID: |
|
Version: |
|
CVE: |
|
Published: |
|
Summary
ngCERT has become aware of multiple high severity vulnerabilities in some Ivanti products that affect the IPSec component of Ivanti Connect Secure and Ivanti Policy Secure gateways. These vulnerabilities can be exploited by unauthenticated attackers to send specially crafted requests that can crash the vulnerable systems and services, resulting in a denial-of-service (DoS) condition. In some cases, the attackers may also be able to execute arbitrary code or access sensitive information on the compromised systems. ngCERT urges individuals and organizations using the affected products to apply the available patches from Ivanti as soon as possible to prevent potential attacks by cyber criminals.
Description & Consequence
The following vulnerabilities have been reported in Ivanti products:
a. CVE-2024-21894: A heap overflow vulnerability in the IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) that can allow an unauthenticated attacker to send a specially crafted request that can crash the service or execute arbitrary code on the target system.
b. CVE-2024-22053: A heap overflow vulnerability in the IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) that can allow an unauthenticated attacker to send a specially crafted request that can crash the service or execute arbitrary code on the target system.
c. CVE-2024-22052: A null pointer dereference vulnerability in the IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) that can allow an unauthenticated attacker to send a specially crafted request that can crash the service and cause a DoS condition.
d. CVE-2024-22023: An XML entity expansion vulnerability in the IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) that can allow an unauthenticated attacker to send a specially crafted request that can cause excessive CPU consumption and memory exhaustion, leading to a DoS condition or information disclosure.
Successful exploitation of the vulnerabilities could lead to:
a. Compromise the affected systems and execute arbitrary code.
b. Access and exfiltrate sensitive data from the affected systems.
c. Deploy ransomware or other malicious software on the affected systems.
d. Disrupt the availability and functionality of the affected systems and services.
Solution
ngCERT recommends the following actions:
a. Users of the affected products should upgrade to the latest patched versions provided by Ivanti as soon as possible. The patches can be access via the standard download portal of Ivanti.
b. Users of the affected products should also apply the following workarounds to reduce the risk of exploitation:
• Disable the IPSec feature if it is not required.
• Restrict the access to the IPSec port (500/UDP) to trusted sources only.
• Enable firewall rules to block malicious traffic to the IPSec port.
• Monitor the system logs and network traffic for any suspicious activity.
Reference
Revision
