Ivanti has released fixes for four vulnerabilities in its Connect Secure and Policy Secure products, all of which are exploitable remotely without authentication, and one of which can lead to arbitrary code execution.
The most serious of the vulnerabilities is a heap buffer overflow (CVE-2024-21894) in the IPSec implementation in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS), which can allow a remote unauthenticated attacker to execute arbitrary code in some circumstances. That flaw, like the other three that Ivanti fixed this week, affects all versions of the 9.x and 22.x software branches.
Another of the bugs (CVE-2024-22053) is also a heap buffer overflow, but can’t be used for remote code execution.
“A heap overflow vulnerability in IPSec component of Ivanti Connect Secure and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack or in certain conditions read contents from memory,” the advisory says.
The remaining two vulnerabilities (CVE-2024-22052 and 22023) can allow an attacker to cause a DoS on a vulnerable appliance.
The disclosure of these four vulnerabilities comes at a time when many organizations are still dealing with the fallout from the disclosure of several zero days in the ICS and IPS appliances in January. At least one APT group from China was exploiting those two vulnerabilities (CVE-202421887 and CVE-2024-46805) before they were disclosed, and since then many other groups have followed suit. In a new analysis of exploitation activity of these flaws, Mandiant researchers said they have seen eight separate groups exploit those Ivanti bugs in recent weeks. Five of those groups are Chinese threat actors, including the infamous Volt Typhoon group that has targeted critical infrastructure operators in the United States recently.
“UNC5291 is a cluster of targeted probing activity that we assess with moderate confidence is associated with UNC3236, also known publicly as Volt Typhoon. Activity for this cluster started in December 2023 focusing on Citrix Netscaler ADC and then shifted to focus on Ivanti Connect Secure devices after details were made public in mid-Jan. 2024. Probing has been observed against the academic, energy, defense, and health sectors, which aligns with past Volt Typhoon interest in critical infrastructure,” the Mandiant analysis says.
One of the other groups that Mandiant has seen exploiting the older Ivanti flaws is an actor the company refers to as UNC5221, which has been using the bugs to install four separate malware families that are known collectively as SPAWN. The malware family includes an installer, a backdoor, and a tool that can disable logging and log forwarding. That group also has deployed a webshell called ROOTROT that it used for persistence and would then perform reconnaissance and look for lateral movement possibilities. The group also deploys a backdoor called BRICKSTORM to target VMware vCenter servers.
The other groups that Mandiant has identified as exploiting the January Ivanti bugs have used their own tactics, including a new malware sample called TERRIBLETEA.
Patches are available for all of the versions affected by the January flaws.