RCE in Ivanti Connect Secure and Policy Secure (CVE-2024-21887)
Description
Ivanti Connect Secure and Ivanti Policy Secure Gateways contain a critical command injection vulnerability (CVE-2024-21887) that allows remote code execution. This vulnerability is particularly severe because it can be chained with an authentication bypass flaw (CVE-2023-46805), enabling unauthenticated attackers to execute arbitrary commands on affected systems. Successful exploitation grants attackers complete control over the vulnerable gateway appliance.
Remediation
Take immediate action to remediate this critical vulnerability:
1. Apply Security Updates
Upgrade to the patched versions as specified by Ivanti:
• Ivanti Connect Secure: Version 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1 or later
• Ivanti Policy Secure: Version 9.1R17.2, 9.1R18.3, 22.5R1.2 or later
2. Perform Integrity Checks
Before patching, run Ivanti's Integrity Checker Tool to detect potential compromise. If indicators of compromise are found, perform a factory reset and restore from a known-good backup.
3. Implement Temporary Mitigations (if patching is delayed)
• Restrict administrative access to trusted IP addresses only
• Enable enhanced logging and monitoring for suspicious activity
• Review and rotate all credentials and API keys
4. Post-Remediation Actions
• Monitor for unusual network traffic or unauthorized access attempts
• Review access logs for evidence of exploitation prior to patching
• Consider implementing additional network segmentation around VPN gateways