DarkReading recently provided an editorial on the recent cyber security repose to Ivanti’s VPN issues. “Here's what's clear about the current cybersecurity state of Ivanti's VPN appliances, they have been widely vulnerable to cyberattack, and threat actors are onto the possibilities. It's up to enterprise cyber teams to decide what comes next.”
So far, Ivanti has disclosed five VPN flaws in 2024, most exploited as zero-days — with two of them publicly announced weeks before patches became available. Some critics, like an influential cybersecurity researcher, see the glut of Ivanti vulnerabilities, and the company's slow incident response, as an existential threat to the business. He blames Ivanti's current problems on years-long neglect of secure coding and security testing. To recover, Ivanti would have to both overcome that technical debt, while somehow building back trust with their customers. It's a task he's dubious Ivanti will be able to pull off. "I don't see how Ivanti survives as an enterprise firewall brand," the researcher said; which was repeated widely on social media.[1]
See: https://redskyalliance.org/xindustry/ivanti-connect-secure-not-so-secure
A more generous view of the recent spate of zero-day disclosures is that it's a positive sign Ivanti is taking a long, hard look at its cybersecurity. "Ivanti is digging deep into its own products in order to find, fix, and disclose vulnerabilities, and deserves some credit for that," said the vice president of Viakoo Labs. When asked for comment, Ivanti referred Dark Reading to its 8 February blog post regarding its most recent disclosure.
Ivanti's Woes Fall on Cyber Teams - Ultimately, enterprise teams will have to choose. Cyber teams can follow US DHS CISA's advice and disconnect Ivanti VPN appliances and update before they are reconnected. Or, while they are already offline for patching, they can replace Ivanti appliances altogether. They also have to explain the decision to higher-ups.
Patching is a reasonable response, but Ivanti's patching schedule was delayed for the aforementioned pair of zero-day vulnerabilities disclosed on 10 January (CVE-2024-21887 and CVE-2023-46805). These ended up being under active exploit without a patch for 20 days before receiving patches on 30 January. But they came with more bad news: The Ivanti update also included fixes for two additional previously undisclosed bugs (CVE-2024-21888 and CVE-2024-21893), the latter of which had also already been under active exploitation in the wild.
That was enough for CISA to issue a 1 February mandate for federal agencies to disconnect Ivanti products from their systems. CISA issued a clarification to the directive on 9 February that Ivanti VPN appliances may be reconnected to government networks once they are sufficiently patched, and in some cases, reset to factory settings.
A fifth Ivanti vulnerability was disclosed on 9 February, tracked as CVE-2024-22024. Eventually, Ivanti credited watchTowr with the find, though at first it claimed internal teams found the bug, sowing some confusion in bug-hunter ranks. Further undermining confidence in Ivanti security practices is the fact that the initial Jan. 10 bugs were originally due to get patches on 22 January, but Ivanti pushed the release date back to the 30th. "These devices need their software engineered with the same kind of seriousness that this threat requires," says the president at Bambenek Consulting. "When you publish zero-day patch schedules, you need to hit those targets, especially in a situation like this." Meanwhile Ivanti's persistent flaws have attracted crowds of cybercriminals, including Chinese state-sponsored threat actors. And the cyber researcher "Shadowserver" confirmed to Dark Reading that there are at least 47 IPs to date attempting to exploit the most recently disclosed Ivanti VPN bug.
There is some confusion here too: Ivanti issued the following statement to Dark Reading in response to the Shadowserver report: "We have no indication that CVE-2024-22024 has been exploited in the wild."
Viakoo Labs' gives Ivanti poor marks for its incident response so far. "Ivanti’s recovery will need to address both the technical aspects of these attacks, and the trust/reputational damage this has caused them," he says. "On both fronts they have stumbled badly."
Ivanti Vows to Fix Flaws, Customers Cautious - In a 8 February advisory about the most recent Connect Secure and Policy Secure Gateways bugs, Ivanti assured customers it is now doing a full audit of its code. "Our team has been working around the clock to aggressively review all code and is singularly focused on bringing full resolution to the issues affecting Ivanti Connect Secure (formerly Pulse Connect Secure), Ivanti Policy Secure and ZTA gateways," the company said.
As Ivanti's cybersecurity troubles mount, the lesson for cyber teams is that reactive patching alone of edge devices isn't sufficient, according to Keeper Security. "It is imperative that vendors prioritize identifying and resolving issues within their solutions," it said. "But organizations should regularly engage in pen-testing of their own products and services to proactively find vulnerabilities before someone else does."
Only time will tell if Ivanti will be able to woo its customers back who've already left, and reassure the ones who have stuck around. But in the meantime enterprise security teams remain cautious. "If I were a CISO, I'd take a pass on Ivanti for a few years until they’ve proven themselves again," was a recent advisory statement.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://www.darkreading.com/cloud-security/ivanti-poor-marks-cyber-incident-response
Comments