CISA: Using Ivanti VPNs May Pose ‘Significant Risk’

The agency released the warning Thursday following lab research on the exploitation of vulnerabilities in Connect Secure VPN devices.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned organizations to “consider the significant risk” that may be posed by continuing to use widely exploited Ivanti VPNs, in part based on newly disclosed independent lab research performed by the agency.

CISA released the warning Thursday as part of a new advisory related to the exploitation of three vulnerabilities in Connect Secure VPN devices.

Ivanti released its own updated advisory Thursday responding to the CISA warning, which appeared to offer a different characterization of the significance of the CISA lab research findings.

In CISA’s advisory, the agency shared results of its independent lab research showing that even a factory reset of Connect Secure VPNs may not be sufficient to remove a threat actor’s foothold on the devices.

“A cyber threat actor may be able to gain root-level persistence despite issuing factory resets,” CISA wrote in the advisory, which was released in conjunction with numerous other agencies including the FBI and units from Australia, the U.K., Canada and New Zealand.

“The safest course of action for network defenders is to assume a sophisticated threat actor may deploy rootkit level persistence on a device that has been reset and lay dormant for an arbitrary amount of time,” CISA said the advisory.

The agency pointed to previously released findings that sophisticated state-sponsored hacker groups in China, for instance, “may remain silent on compromised networks for long periods.”

“The authoring organizations strongly urge all organizations to consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment,” CISA said.

Ivanti appeared to offer a different interpretation of the CISA lab environment findings in its own advisory update Thursday, suggesting that a factory reset would in fact be effective.

“It is important to note that this lab-based finding has not been observed by CISA, Ivanti or Mandiant in the wild,” Ivanti said. “Based on the evidence presented and further analysis by our team, we believe that if a threat actor were to attempt this remotely they would lose connection to Ivanti Connect Secure, and not gain persistence in a live customer environment.”

Additionally, “customers that patched and executed a successful factory reset (hardware) or deployed a new build (virtual) would not be at risk from the activity outlined in CISA’s report,” the company said.

In response to an inquiry by CRN Thursday, Ivanti did not directly address questions about the apparent difference in characterization in its own advisory compared to that of CISA.

“We welcome findings from our security and government partners that enable our customers to protect themselves in the face of this evolving and highly sophisticated threat,” Ivanti said in the statement.

The mass exploitation of Connect Secure vulnerabilities prompted CISA to issue its first “emergency directive” of 2024 on Jan. 19. Subsequently, on Feb. 1, CISA ordered that federal civilian agencies take the extreme measure of temporarily disconnecting their Ivanti Connect Secure VPNs within 48 hours.

Ivanti, a provider of IT and security software, acquired the technology behind its Connect Secure VPN with the acquisition of Pulse Secure in 2020.

Three Connect Secure flaws have seen mass exploitation by attackers since the initial disclosure Jan. 10, according to security researchers.

The original vulnerabilities are an authentication bypass vulnerability (tracked at CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887). The vulnerabilities can be used together by threat actors to target customers of its Connect Secure VPN, Ivanti has said.

Researchers have also reported seeing widespread exploitation of a server-side request forgery vulnerability affecting Connect Secure, tracked at CVE-2024-21893.

Ivanti released the first patch for the original VPN vulnerabilities on Jan. 31, and has also shared mitigations for all five of the Connect Secure flaws disclosed since Jan. 10.