However, on January 31 Ivanti disclosed two more vulnerabilities that were discovered while investigating the previous two flaws: a privilege escalation vulnerability tracked as (CVE-2024-21888) and a server-side request forgery in the SAML component (CVE-2024-21893). The latter can allow attackers to access restricted resources without authentication and was also exploited as a zero-day.
“At the time of publication, the exploitation of CVE-2024-21893 appears to be targeted,” the company said in its updated knowledge base article. “Ivanti expects the threat actor to change their behavior and we expect a sharp increase in exploitation once this information is public — similar to what we observed on 11 January following the 10 January disclosure.”
Additional steps to mitigate risk from Ivanti vulnerabilities required
As of February 1, fixed versions are available for all impacted products. However, CISA is asking agencies to export their configuration, rebuild the affected devices by performing a factory reset and updating the firmware and then importing the configuration back, and remove the previously applied mitigation xml file.
It’s also important to revoke and reissue any potentially exposed certificates, keys, and passwords, including the admin enable password, the stored application programming interface (API) keys, the passwords of any local user defined on the gateway, including service accounts used for auth server configuration.
Domain accounts associated with the affected products might also have been compromised, so agencies should reset the passwords for on premise accounts and revoke Kerberos tickets as well as any tokens for cloud accounts in hybrid deployments. The device tokens of cloud-joined devices should also be reset by disabling those devices.
