Show threadKevin BeaumontApr 3, 2024

3 months since #ConnectAround vulns in Ivanti Pulse Connect

Ivanti have announced they plan to radically change how they work to reposition around customer security: https://www.ivanti.com/blog/our-commitment-to-security-an-open-letter-from-ivanti-ceo-jeff-abbott

It’s a good move. I just went back and looked at my Ivanti Pulse Connect internet survey and re-ran it - it looks like about 10% of systems no longer run that product. It’s both the right thing by customers and a smart business move to try to stop the bleeding.

Our Commitment to Security: An Open Letter from Ivanti CEO Jeff Abbott | Ivanti

Ivanti CEO Jeff Abbott outlines his plan to bolster product security, enhance Ivanti's vulnerability management program and provide enhanced support for secure product deployments in the field.

Tyson, Chicken Rancher 🐓Feb 15, 2024

Soooo ... that integrity checker tool that Ivanti wants customers to use to detect compromise? It doesn't scan more than a dozen directories including /data, /etc, /tmp, and /var. As a test of what was possible, @n0x08 installed the Sliver C2 tool in /data and ran the integrity checker tool and it passed. Patched Ivanti VPNs could very well still be compromised even if the integrity checker tool gave them an all-clear.

We also found numerous extremely old software packages, including a Linux kernel that was EOL in 2020 (CentOS 6.4). Yikes!

https://eclypsium.com/blog/flatlined-analyzing-pulse-secure-firmware-and-bypassing-integrity-checking/

#ivanti #connectsecure #connectaround

David KrauseFeb 12, 2024
I have created an Nmap script to detect likely vulnerable Ivanti Connect Secure and Ivanti Policy Secure versions.
https://github.com/krausedw/nmap-scripts/blob/main/http-vuln-ivanti-ics-ips.nse
#Ivanti #ConnectAround #threatintel
nmap-scripts/http-vuln-ivanti-ics-ips.nse at main · krausedw/nmap-scripts

Repository containing Nmap scripts. Contribute to krausedw/nmap-scripts development by creating an account on GitHub.

GitHub
Show threadKevin BeaumontFeb 3, 2024

The deadline has now passed for US federal government agencies to disconnect all Ivanti Pulse Secure systems from their networks. (Not all have, btw).

https://www.cisa.gov/news-events/directives/supplemental-direction-v1-ed-24-01-mitigate-ivanti-connect-secure-and-ivanti-policy-secure

More soon on why the USG have told people to kill the product. It’s bad.

#ConnectAround #threatintel

Show threadKevin BeaumontFeb 1, 2024

844 IPs exploiting #ConnectAround and their payloads https://gist.github.com/andrew-morris/7679a18ef815068897bf27bf631f2ede

#threatintel

IPs that are scanning for, or exploiting, vulnerable Ivanti devices (a la GreyNoise) - Updated Feb 01 2024

IPs that are scanning for, or exploiting, vulnerable Ivanti devices (a la GreyNoise) - Updated Feb 01 2024 - ivanti.csv

Gist
Show threadKevin BeaumontFeb 1, 2024

Here is the latest mitigation for #ConnectAround visualised by @wdormann, if you want to know how the US Government is getting comprehensively owned again.

Spoiler: ../.. cyber mega threat. #threatintel

Show threadKevin BeaumontFeb 1, 2024

CISA re #ConnectAround "As soon as possible and no later than 11:59PM on Friday February 2, 2024, disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks."

https://www.securityweek.com/cisa-sets-48-hour-deadline-for-removal-of-insecure-ivanti-products/

#threatintel

CISA Sets 48-hour Deadline for Removal of Insecure Ivanti Products

In an unprecedented move, CISA is directing federal agencies to disconnect insecure Ivanti VPN products within 48 hours.

SecurityWeek
Show threadKevin BeaumontJan 31, 2024

More hilarity on #ConnectAround - there’s now two NEW vulnerabilities in Ivanti Pulse Secure, being actively exploited as zero days too - no patches for many versions.

Updated advisory with updated mitigations you need to reapply:
https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

CVEs: CVE-2024-21893 and CVE-2024-21888

CERT advisory: https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2024/2024-205101-1032.pdf?__blob=publicationFile&v=2

Ivanti recommend you factory reset your devices in their advisory.

HT @fthy

#threatintel

Ivanti Community

Show threadKevin BeaumontJan 30, 2024

Latest on #ConnectAround - the vendor promised patches weeks later, but hasn’t been hitting its own milestones to release said patches.

https://www.securityweek.com/ivanti-struggling-to-hit-zero-day-patch-release-schedule/

#threatintel

Ivanti Struggling to Hit Zero-Day Patch Release Schedule

Ivanti is struggling to hit its own timeline for the delivery of patches for critical -- and already exploited -- flaws in VPN appliances.

SecurityWeek
Show threadKevin BeaumontJan 22, 2024

Latest #ConnectAround issue - there’s no patch, and the mitigation silently fails to work if an admin makes a config change elsewhere.

If you run Pulse Secure I’d suggest being very cautious.

https://www.bleepingcomputer.com/news/security/ivanti-vpn-appliances-vulnerable-if-pushing-configs-after-mitigation/

#threatintel

Ivanti: VPN appliances vulnerable if pushing configs after mitigation

Ivanti warned admins to stop pushing new device configurations to appliances after applying mitigations because this will leave them vulnerable to ongoing attacks exploiting two zero-day vulnerabilities.

BleepingComputer