simontsui, 4 months ago to random

Volexity recently disclosed details related to exploitation of Ivanti Connect Secure VPN, revealing how the attacker chained two zero-day vulnerabilities to achieve remote code execution. When investigating the source of compromise, Volexity employed memory forensics, analyzing a memory sample collected from a suspected compromised VPN device, which allowed Volexity to zero in on the source of the compromise. "The lesson for analysts is to independently verify the integrity and trustworthiness of high-value targets using memory forensics, rather than only relying on tools that run on a potentially compromised device."
🔗 https://www.volexity.com/blog/2024/02/01/how-memory-forensics-revealed-exploitation-of-ivanti-connect-secure-vpn-zero-day-vulnerabilities/

#ivanti #connectsecure #vulnerability #zeroday #eitw #activeexploitation #CISA #KEV #KnownExploitedVulnerabilitiesCatalog #CVE_2023_46805 #CVE_2024_21887 #UTA1078 #Volexity

simontsui, 4 months ago to random

watchTowr reports additional zero-days uncovered on a fully patched Ivanti appliance. No further information due to 90 day vulnerability disclosure policy.

#Ivanti #ConnectSecure #vulnerability #zeroday #eitw #activeexploitation #UTA0178 #UNC5221 #CVE_2023_46805 #CVE_2024_21887 #KEV #KnownExploitedVulnerabilitiesCatalog #CISA #CVE_2024_21888
#CVE_2024_21893 cc: @todb @ntkramer @campuscodi @serghei @dangoodin @catc0n
CVE_2024_21893

simontsui, 4 months ago to random

Just your periodic update from Ivanti regarding their CVE-2023-46805 (8.2 high) and CVE-2024-21887 (9.1 critical) zero-days (both disclosed 10 January 2024 as exploited in the wild, has Proofs of Concept, mass exploitation):

"Update 26 January: The targeted release of patches for supported versions is delayed, this delay impacts all subsequent planned patch releases. We are now targeting next week to release a patch for Ivanti Connect Secure (versions 9.1R17x, 9.1R18x, 22.4R2x and 22.5R1.1), Ivanti Policy Secure (versions 9.1R17x, 9.1R18x and 22.5R1x) and ZTA version 22.6R1x.
Patches for supported versions will still be released on a staggered schedule. Instructions on how to upgrade to a supported version will also be provided.
The timing of patch release is subject to change as we prioritize the security and quality of each release. Please ensure you are following this article to receive updates as they become available."
🔗 https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

#Ivanti #ConnectSecure #vulnerability #zeroday #eitw #activeexploitation #UTA0178 #UNC5221 #CVE_2023_46805 #CVE_2024_21887 #KEV #KnownExploitedVulnerabilitiesCatalog #CISA

simontsui, 4 months ago to random

CISA issues Emergency Directive 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities in response to CVE-2023-46805 (8.2 high, disclosed by Ivanti on 10 January 2024 as exploited zero-days) authentication bypass in Ivanti Connect Secure VPN Version 9.x and 22.x and CVE-2024-21887 (9.1 critical) command injection in Ivanti Connect Secure VPN Version 9.x and 22.x

🔗 https://www.cisa.gov/news-events/directives/ed-24-01-mitigate-ivanti-connect-secure-and-ivanti-policy-secure-vulnerabilities

#Ivanti #ConnectSecure #vulnerability #zeroday #eitw #activeexploitation #UTA0178 #UNC5221 #CVE202346805 #CVE202421887