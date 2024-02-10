By disclosing another vulnerability in its Connect Secure, Policy Secure and ZTA gateways, Ivanti has confounded the third-party researchers who discovered it.

watchTowr researchers today blogged about not being credited for the discovery of CVE-2024-22024 – the latest in a series of vulnerabilities affecting Ivanti Gateway, as the vendor continues to develop patches for supported versions.

The high-severity authentication bypass flaw only affects a limited number of supported versions, unlike the zero-days that came before it, and was discovered in-house, according to Ivanti.

An article from Ivanti reads, “As part of an ongoing investigation, we have discovered a new vulnerability as part of our internal review and testing of our code, which we are reporting as CVE-2024-22024.” are doing.”

However, Watchtower claims that its researchers first drew Ivanti’s attention to the bug on February 2, and published screenshots of emails exchanged between it and Ivanti as evidence.

Commenting on the above excerpt from Ivanti’s advisory, Watchtower said: “Today, Friday February 9, 2024, we are pleased to see that Ivanti has issued an advisory for this vulnerability.

“We found this comment a bit curious, but maybe we have a new group of coworkers?” It further added that it was “surprised” to see the missing credits, but believes it was done without any malice.

To the delight of administrators across the country, the vulnerability itself is not as serious as other vulnerabilities that have surfaced over the past few weeks.

In addition to lesser versions being vulnerable, those that applied the update mitigation provided on January 31 are automatically protected.

People who applied the patch to their devices when it became available and completed a factory reset of their device are also safe. There is no evidence to suggest it has been actively used as a zero-day, Ivanti said, although it has been controversial,

The limited editions affected by the vulnerability are:

Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1)

Ivanti Policy Secure (Version 22.5R1.1)

ZTA (version 22.6R1.3)

A quick recap

Similar to Fortinet, Ivanti has been having a tough time with security recently.

The first reports came in mid-January that two zero-days in Ivanti’s products were exploited by attackers who were either pro-China or state-sponsored by Beijing.

Since then, Ivanti has continued to work on developing patches according to its sequential schedule, meaning it is developing patches for the versions with the most users, and working up from there. In the meantime, it issued a mitigation to keep people safe while they wait for the patch.

This patching schedule was supposed to end on February 19, but Ivanti, announcing the first patch in late January, said it had been delayed.

What it announced along with the first patch, and which would be funny if it weren’t so serious, is that in fixing the first two zero-days, it found two other vulnerabilities, one of which was a form of zero-day I was also exploited.

What’s even better is that Ivanti also said that attackers had created a workaround for the mitigation it provided, so it was forced to create a new one and it is still working to the best of our knowledge. Used to be.

So that’s four major security holes in the span of a few weeks… today takes it to five.

The zero-days were in a state of “mass exploitation” within days, as the proof of concept (POC) code was published before Ivanti developed the patch. At the time it was suspected that backdoors were installed in 1,700 devices.

Underscoring the seriousness of the situation, CISA issued its second emergency directive last week directing federal agencies to completely disconnect the products. This was followed by an initial advisory in which the first two zero-days were added to its “must-patch” list on the same day Ivanti disclosed them.

The UK’s NCSC was also spurred into action today, publishing its own advice urging immediate fixes for all five Ivanti vulnerabilities.

Source: www.theregister.com