Recent Ivanti Vulnerabilities: 4 Lessons Security Leaders Can Learn

[Editor's Note: This article has been updated with clarifying statements from Ivanti.]

Ivanti has had a rough start to the year. In January and February, the IT software company disclosed a series of VPN vulnerabilities impacting the Ivanti Connect Secure and Ivanti Policy Secure gateways. In February, the Cybersecurity and Infrastructure Security Agency (CISA) warned that threat actors were actively exploiting these vulnerabilities.  

As exploitation continued, CISA became one of the impacted organizations. The federal agency took down two of its systems affected by exploitation of the Ivanti vulnerabilities, The Record reported.  

“About a month ago CISA identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses. The impact was limited to two systems, which we immediately took offline. We continue to upgrade and modernize our systems, and there is no operational impact at this time,” a CISA spokesperson shared in an emailed statement.  

What lessons can CIOs, CISOs, and other enterprise security leaders learn from these vulnerabilities, Ivanti’s response, and the exploitation of the bugs?  

Understand the VPN Vulnerabilities 

“From Jan. 10 to Feb. 8, there were five vulnerabilities disclosed; the nature of these vulnerabilities allows an unauthenticated actor to execute arbitrary commands with elevated privileges,” Nick Hyatt, director of threat intelligence at managed detection and response (MDR) company Blackpoint Cyber, tells InformationWeek in an email interview.  

Related:How to Evaluate a CISO Job Offer

The five vulnerabilities that impacted the Ivanti Connect Secure and Ivanti Policy Secure gateways are CVE-2023-46805 (CVSS 8.2), CVE-2024-21887 (CVSS 9.1), CVE-2024-21888 (CVSS 8.8), CVE-2024-21893 (CVSS 8.2), and CVE-2024-22024 (CVSS 8.3).  

This crop of VPN flaws in Ivanti’s products has led to criticism of the company’s cyber incident response. The company will likely need to work to regain customer trust following the exploitation of these bugs. In the meantime, enterprise leaders may be considering their choice of VPN solution.  

“There are other solutions out there that do this exact same thing that haven’t appeared on CISA KEV [Known Exploited Vulnerabilities Catalog] as much,” says Jacob Baines, CTO of VulnCheck, a vulnerability intelligence company. “But at the same time as other people pivot [to] other solutions, those solutions are going to get targeted … and we'll see in the future what type of vulnerabilities fall out of the new popular systems.” 

Related:How Ransomware Fallout Is Rippling Through the US Health Care System

The Ivanti vulnerabilities can be worth thinking about, even if an enterprise is not using its VPN products. Threat actors will look for similar vulnerabilities in other VPNs. “It's quite possible we'll see attacks very similar to this moving from product to product,” Jason Kent, hacker-in-residence at cybersecurity software company Cequence Security,” tells InformationWeek. “I imagine there are product security managers out there that are just ripping through their code right now, trying to figure out where these types of vulnerabilities might be hiding.”  

Recognize the Importance of Incident Response   

Enterprises using the impacted devices should assume compromise, according to CISA’s cybersecurity advisory. “There’s really no debate here -- given the availability of exploits and verified mass exploitation, potentially impacted organizations should be in full incident response mode,” says Hyatt.  

Ivanti released mitigation and then patches. “It is now Ivanti’s recommendation that all customers remove the mitigation, factory reset, or deploy a new build of a virtual appliance and apply the patch,” according to the company’s guidance.  

In its Feb. 29 cybersecurity advisory, CISA warned that threat actors were “… able to deceive Ivanti’s internal and external Integrity Checker Tool (ICT), resulting in a failure to detect compromise.” Ivanti notes in its guidance that it added new functionality to its external ICT, with plans to add that into its internal ICT in the future:

Related:Sign Up for InformationWeek's New Cyber Resilience Newsletter

“Ivanti, Mandiant, CISA and the other JCSA authoring organizations continue to recommend that defenders apply available patching guidance provided by Ivanti if they haven’t done so already, and run Ivanti’s updated Integrity Checker Tool (ICT), released on 27 February, to help detect known attack vectors, alongside continuous monitoring,” according to a spokesperson from Ivanti. “Ivanti and our partners are not aware of any instances of successful threat actor persistence following implementation of the security updates and factory resets recommended by Ivanti.”

When vulnerabilities like these become subject to exploitation, it is vital for enterprise security teams to keep up with vendor mitigation and patches while kicking off their internal IR responses.  

“With vulnerabilities like this, if you haven’t patched (and sometimes even if you have!), you should assume breach and conduct response processes to validate otherwise,” says Hyatt. 

CISA’s recent compromise serves as a reminder that no organization is immune. “This is a reminder that any organization can be affected by a cyber vulnerability and having an incident response plan in place is a necessary component of resilience,” the CISA spokesperson said in the agency’s statement.  

Anticipate the Potential Fallout 

What could that potential fallout look like? “Realistically, a total count of affected organizations will probably never be known, simply because there are likely companies out there that don’t even know they are compromised,” says Hyatt.  

These vulnerabilities can allow threat actors to gain elevated privileges in an enterprise’s network and execute commands. “It seems to me this is a great way to spread ransomware around [a] network,” says Kent.  

In addition to patching and following Ivanti’s recommendations, enterprise security teams can look for evidence of threat actor activity in their networks. “Start searching for things like new accounts that were created right around this timeline,” Kent recommends. “Make sure … no one has created an administrative password in this time that hasn't been vetted.”  

Additionally, security teams need to be on the alert for lateral movement. Kent stresses the importance of being able to recognize outliers. 

“I talk about outliers a lot in security, and when my computer never talks to your computer and then all of a sudden it does, that’s an outlier and it’s weird,” he explains. “Those are the kinds of things that people should be looking for in their network environments.”  

Consider the Consequences of Going Offline 

Is your enterprise prepared to take an important device offline in the event of vulnerability and potential breach? Downtime is expensive, costing hundreds or even thousands of dollars per minute depending on the business and its industry. Remote work can grind to a halt if employees are unable to use an enterprise’s VPN.  

“If there’s a security incident at a factory or production facility, those losses can be extraordinary,” says Hyatt. “If it’s just one system for an employee, maybe you lose a day of productivity.” 

In the case of the Ivanti vulnerabilities, CISA directed Federal Civilian Executive Branch agencies to disconnect impacted devices. The appliances needed to be rebuilt and reconfigured. CISA took two of its own systems offline following the compromise.  

Ivanti clarified CISA’s recommendations for addressing the vulnerabilities: “CISA has never instructed organizations to permanently take Ivanti systems out of production. CISA’s original directive to federal agencies was misinterpreted by media who only reported on the first step of the instructions. CISA made updates to their directive to correct this, and then subsequently updated again on February 9 to make it absolutely clear that you can turn the product on after patching,” according to the company’s blog.

With the decentralization of networks, Kent expects it is possible more vulnerabilities could prompt the advice to take impacted devices offline until a fix is available.  

“Not enough risk assessment goes into: ‘What if I have to turn that thing we just bought off?’” he says. It is possible to have a secondary solution in place for a VPN, for example, but are organizations prepared to spin up that solution in the event of an incident? 

Kent argues that enterprises should incorporate this scenario into incident response planning. “This should be a tabletop exercise that every CISO puts into their tabletop exercises binder,” he says.  

Threat actors will continue to seek ways to exploit vulnerabilities in edge systems, products from Ivanti and many other companies. “What it all comes down to is that organizations need to start keeping a good inventory on the systems and software they're exposing to the entire world and minimizing that as much as possible,” says Baines.