Article Details
Scrape Timestamp (UTC): 2024-04-05 17:42:52.096
Original Article Text
Click to Toggle View
New Ivanti RCE flaw may impact 16,000 exposed VPN gateways. Approximately 16,500 Ivanti Connect Secure and Poly Secure gateways exposed on the internet are likely vulnerable to a remote code execution (RCE) flaw the vendor addressed earlier this week. The flaw is tracked as CVE-2024-21894 and is a high-severity heap overflow in the IPSec component of Ivanti Connect Secure 9.x and 22.x, potentially allowing unauthenticated users to cause denial of service (DoS) or achieve RCE by sending specially crafted requests. Upon disclosure, on April 3, 2024, the internet search engine Shodan showed 29,000 internet-exposed instances, while threat monitoring service Shadowserver reported seeing roughly 18,000. At the time, Ivanti stated that it had seen no signs of active exploitation in any of its customers but urged system administrators to apply the updates as soon as possible. Two days later, Shadowserver added CVE-2024-21894 into its scanning capabilities, reporting that about 16,500 instances are vulnerable to the RCE flaw. Most of those instances (4,700) are in the United States, with Japan (2,000), the UK (1,000), Germany (900), France (900), China (500), the Netherlands (500), Spain (500), Canada (330), India (330), and Sweden (320) following with significant level of exposure too. High-risk vulnerabilities in Ivanti products often act as a point of breach for organizations worldwide. Earlier this year, it was revealed that state-sponsored threat actors leveraged multiple flaws in Ivanti products, namely CVE-2023-46805, CVE-2024-21887, CVE-2024-22024, and CVE-2024-21893, while they were zero-days, meaning the vendor didn't know about the flaws and no fixes were available. This activity was followed by multiple hacking groups exploiting widespread exploitation to deploy custom web shells to backdoor devices. A report published today by Mandiant dives deeper into high-profile recent bug exploitation cases targeting Ivanti endpoints, focusing on Chinese hackers from five distinct activity clusters and a malware family named 'SPAWN' used in these attacks. System administrators who have not applied the available mitigations and fixes for CVE-2024-21894 are advised to follow the vendor's instructions in this knowledge base article.
Daily Brief Summary
Ivanti Connect Secure and Poly Secure gateways face a critical RCE vulnerability that could impact around 16,500 internet-exposed instances.
The vulnerability, identified as CVE-2024-21894, is a heap overflow in the IPSec component that could allow unauthenticated remote code execution or denial of service.
Initial reports from Shodan and Shadowserver indicated between 18,000 to 29,000 exposed instances, with a subsequent Shadowserver report narrowing it down to 16,500 vulnerable gateways worldwide.
Ivanti has released updates to mitigate the flaw and has not observed active exploitation against its customers but urges system administrators to apply the updates immediately.
The majority of vulnerable instances are located in the United States, Japan, and the UK, with other countries also having significant exposure.
Past Ivanti product vulnerabilities were exploited by state-sponsored actors and hacking groups to deploy custom web shells for unauthorized access to devices.
A Mandiant report uncovers in-depth recent bug exploitation incidents involving Ivanti endpoints and details the 'SPAWN' malware family used by Chinese hackers in these attacks.
Administrators are strongly advised to implement available mitigations and fixes for CVE-2024-21894 according to Ivanti's guidance.