Ivanti has updated its integrity checker, after the US Cyber and Infrastructure Security Agency (CISA) warned that some attackers might have maintained persistent compromises of the company’s Connect Secure, Policy Secure, and ZTA products even after a factory reset.
Ivanti’s woes began early in January when researchers from Volexity demonstrated how two bugs in its Connect Secure VPN devices could be chained for remote code execution.
Volexity said it had observed exploits in the wild, which it attributed to Chinese nation-state actor UTA0178, who also compromised Ivanti’s integrity checker to try and conceal themselves.
Ivanti shipped fixes early in February, also plugging other vulnerabilities it discovered while researching fixes for the first two. The company advised that once mitigations were in place, customers had to perform a factory reset to kick out any intruders who had achieved persistence.
On February 29, CISA updated its warning about the products to say that attackers had found a way around the Ivanti integrity checker, and that “a cyber threat actor may be able to gain root-level persistence despite issuing factory resets”.
CISA and its partners, the new advisory stated, “strongly urge all organisations to consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment.”
The ongoing effort led Ivanti to release an updated integrity checker on February 27, and it noted the “potential persistence technologies … have not been deployed successfully in the wild”.
The enhanced integrity checker, Ivanti said, “provides additional visibility into a customer’s appliance and all files that are present on the system.
“The enhanced external ICT will no longer require support to decrypt a customer’s snapshots. When new and/or modified files are found, the external ICT will now provide customers with an unencrypted snapshot for their own review.”
There is no new CVE, meaning the relevant vulnerability information for CVE-2023-46805 (authentication bypass), CVE-2024-21887 (command injection), CVE-2024-21893 (server side request forgery), CVE-2024-22024 (XML vulnerability) and CVE-2024-21888 (privilege escalation) remain current.