Ivanti Rushes Patches for 4 New Flaws in Connect Secure and Policy Secure

Apr 04, 2024NewsroomNetwork Security / Vulnerability

Ivanti has released security updates to address four security flaws impacting Connect Secure and Policy Secure Gateways that could result in code execution and denial-of-service (DoS).

The list of flaws is as follows –

• CVE-2024-21894 (CVSS score: 8.2) – A heap overflow vulnerability in the IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in order to crash the service thereby causing a DoS attack. In certain conditions, this may lead to execution of arbitrary code.

• CVE-2024-22052 (CVSS score: 7.5) – A null pointer dereference vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in order to crash the service thereby causing a DoS attack.

• CVE-2024-22053 (CVSS score: 8.2) – A heap overflow vulnerability in the IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in order to crash the service thereby causing a DoS attack or in certain conditions read contents from memory.

• CVE-2024-22023 (CVSS score: 5.3) – An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated attacker to send specially crafted XML requests in order to temporarily cause resource exhaustion thereby resulting in a limited-time DoS.

The company, which has been grappling with a steady stream of security flaws in its products since the start of the year, said it’s not aware of “any customers being exploited by these vulnerabilities at the time of disclosure.”

Late last month, Ivanti shipped patches for critical shortcoming in its Standalone Sentry product (CVE-2023-41724, CVSS score: 9.6) that could permit an unauthenticated threat actor to execute arbitrary commands on the underlying operating system.

It also resolved another critical flaw impacting on-premises versions of Neurons for ITSM (CVE-2023-46808, CVSS score: 9.9) that an authenticated remote attacker could abuse in order to perform arbitrary file writes and obtain code execution.

In an open letter published on April 3, 2023, Ivanti’s CEO Jeff Abbott said the company is taking a “close look” at its own posture and processes to meet the requirements of the current threat landscape.

Abbott also said “events in recent months have been humbling” and that it’s executing a plan that essentially changes its security operating model by adopting secure-by-design principles, sharing information with customers with complete transparency, and rearchitecting its engineering, security, and vulnerability management practices.

“We are intensifying our internal scanning, manual exploitation and testing capabilities, engaging trusted third parties to augment our internal research and facilitating responsible disclosure of vulnerabilities with increased incentives around an enhanced bug bounty program,” Abbott said.