Cybersecurity company Ivanti is facing significant challenges in delivering promised patches for critical vulnerabilities in their Connect Secure VPN appliances. This delay has put organizations at risk that utilize these appliances for secure virtual private networks.
Ivanti acknowledges missed deadline
In a recent update to their advisory, Ivanti admitted to missing the deadline for delivering the necessary patches. The company cited concerns regarding the security and quality of each software patch release as the reason behind the delay. This setback impacts the targeted release of patches for supported versions, subsequently affecting all future patch releases.
Impact of patch delays
The delayed release of these critical patches has far-reaching consequences for organizations that rely on Ivanti’s VPN appliances. The absence of official fixes complicates the strict deadlines set by the US government’s cybersecurity agency, CISA, for Federal Civilian Executive Branch (FCEB) agencies to apply available fixes, detect infections, and share indicators of compromise.
Exploitation of vulnerabilities by a Chinese hacking team
The urgency to deliver these patches arises from the recent discovery made by Volexity. They uncovered a Chinese government-backed hacking team leveraging two zero-day vulnerabilities in Ivanti’s VPN appliances. These vulnerabilities, identified as CVE-2023-46805 and CVE-2024-21887, have already been exploited by attackers to gain unauthorized access to US organizations.
The consequences for US organizations and government agencies
The delay in receiving official patches severely hampers the ability of US government agencies to protect their systems and data. CISA had issued an emergency directive requiring federal agencies to start deploying available fixes by January 22. This deadline is rapidly approaching, and the absence of patches puts agencies at a higher risk of being compromised.
CISA Emergency Directive
The emergency directive from CISA emphasizes the need for agencies to implement Ivanti’s published mitigation immediately to prevent future exploitation. However, the inability to access official patches poses a challenge to effectively comply with this directive. Organizations are left with limited options to mitigate the vulnerabilities and safeguard their valuable assets.
Description of the vulnerabilities
CVE-2023-46805 and CVE-2024-21887, the vulnerabilities targeted by the Chinese hacking team, pose significant risks to organizations using Ivanti’s VPN appliances. Exploiting these vulnerabilities allowed attackers to bypass security measures and gain unauthorized access to sensitive information. The implications of such breaches are profound and can lead to data theft, financial loss, and reputational damage.
Evading detection
Volexity researchers discovered that the attackers went to great lengths to evade detection by Ivanti’s Integrity Checker Tool. They modified legitimate components within the system and made specific changes aimed at bypassing security measures. These sophisticated tactics allowed the hackers to stay hidden while exploiting the vulnerabilities.
Pre-Patch Mitigations and Instructions from Ivanti
Understanding the urgency for protection, Ivanti has released pre-patch mitigations and instructions to help organizations minimize attack surfaces. These measures aim to provide temporary relief until the official patches become available. It is crucial for organizations to follow these guidelines diligently to mitigate the risks associated with the exploited vulnerabilities.
The struggle faced by Ivanti in delivering critical patches for their Connect Secure VPN appliances highlights the persistent challenges that organizations face in maintaining robust cybersecurity. The urgency in addressing these vulnerabilities cannot be understated, especially given the active exploitation observed by the Chinese hacking team. Organizations and government agencies must prioritize implementing proper security measures and diligently follow the mitigation instructions provided by Ivanti until the official patches are released. Only through prompt action and collaboration can organizations effectively protect their systems and data from potential breaches and an ever-evolving threat landscape.