Ivanti has disclosed a new vulnerability in its Connect Secure, Policy Secure, and ZTA gateways, causing confusion for the third-party researchers who found it. The latest vulnerability, named CVE-2024-22024, was mentioned in a blog post by the researchers at watchTowr. They stated that despite being the initial discoverers of the vulnerability, they were not acknowledged by Ivanti. The vulnerability is an authentication bypass flaw classified as high-severity and only affects a limited number of supported versions. Ivanti claims that the bug was discovered internally as part of their ongoing code review and testing.
The researchers at watchTowr have provided proof in the form of email screenshots exchanged between them and Ivanti, showing that they had brought the bug to Ivanti’s attention on February 2. However, Ivanti’s official statement does not credit the external researchers for the discovery. Ivanti’s public response did not directly address the claims made by watchTowr, leading to confusion and disappointment on the part of the researchers.
The vulnerability does not carry the same level of severity as the previous ones disclosed by Ivanti. Mitigations provided in the recent patch offer protection to fewer versions, and those who have applied the patch and performed a factory reset are automatically safeguarded. Ivanti has also noted that there is no current evidence of active exploitation of this vulnerability, although this claim has been disputed. The specific versions impacted by the vulnerability include Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, and 22.5R1.1), Ivanti Policy Secure (version 22.5R1.1), and ZTA (version 22.6R1.3).
To recap, Ivanti has faced significant security challenges in recent times. In mid-January, the company reported two zero-day vulnerabilities being exploited by attackers with potential ties to China. Ivanti has been diligently working on developing patches according to a staggered schedule, prioritizing versions with the most users. It released a mitigation to protect users while they await patches, although the original patching schedule has been delayed. Furthermore, while fixing the initial two zero-days, Ivanti discovered two additional vulnerabilities, one of which was also exploited. This latest disclosure brings the total to five security vulnerabilities within a few weeks.
The zero-days were rapidly targeted for exploitation, with proof of concept (PoC) code being published before Ivanti could develop patches, leading to concerns about compromised devices. Reflecting the severity of the situation, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive instructing federal agencies to disconnect the affected products. The UK’s National Cyber Security Centre (NCSC) has also urged immediate patching for all five Ivanti vulnerabilities.
