===================================================================== CERT-Renater Note d'Information No. 2024/VULN170 _____________________________________________________________________ DATE : 04/04/2024 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Ivanti Connect Secure versions prior to 22.1R6.2, 22.2R4.2, 22.3R1.2, 22.4R1.2, 22.4R2.4, 22.5R1.3, 22.5R2.4, 22.6R2.3, 9.1R14.6, 9.1R15.4, 9.1R16.4, 9.1R17.4, 9.1R18.5, Ivanti Policy Secure versions prior to 22.4R1.2, 22.5R1.3, 22.6R1.2, 9.1R16.4, 9.1R17.4, 9.1R18.5. ===================================================================== https://forums.ivanti.com/s/article/New-CVE-2024-21894-Heap-Overflow-CVE-2024-22052-Null-Pointer-Dereference-CVE-2024-22053-Heap-Overflow-and-CVE-2024-22023-XML-entity-expansion-or-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US _____________________________________________________________________ New CVE-2024-21894 (Heap Overflow), CVE-2024-22052 (Null Pointer Dereference), CVE-2024-22053 (Heap Overflow) and CVE-2024-22023 (XML entity expansion or XXE) for Ivanti Connect Secure and Ivanti Policy Secure Gateways Products / Topics : Created Date Apr 2, 2024 3:58:39 PM Last Modified Date Apr 3, 2024 8:14:59 PM Description Vulnerabilities have been discovered in Ivanti Connect Secure (ICS) (formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways and a patch is available now. These vulnerabilities impact all supported versions – Version 9.x and 22.x (refer to Granular Software Release EOL Timelines and Support Matrix for supported versions). We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure. Refer to KB43892 – What releases will Pulse Secure apply fixes to resolve security vulnerabilities for our End of Engineering (EOE) and End of Life (EOL) policies. The table below provides details on the vulnerabilities: CVE Description CVSS Vector CVE-2024-21894 A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack. In certain conditions this may lead to execution of arbitrary code 8.2 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H CVE-2024-22052 A null pointer dereference vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2024-22053 A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack or in certain conditions read contents from memory. 8.2 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H CVE-2024-22023 An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated attacker to send specially crafted XML requests in-order-to temporarily cause resource exhaustion thereby resulting in a limited-time DoS. 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Resolution There is a patch available now for all supported versions of the product via the standard download portal.  We strongly encourage customers to act immediately to ensure they are fully protected. Patch versions: Ivanti Connect Secure: 22.1R6.2, 22.2R4.2, 22.3R1.2, 22.4R1.2, 22.4R2.4, 22.5R1.3, 22.5R2.4, 22.6R2.3, 9.1R14.6, 9.1R15.4, 9.1R16.4, 9.1R17.4 and 9.1R18.5. Ivanti Policy Secure: 22.4R1.2, 22.5R1.3, 22.6R1.2, 9.1R16.4, 9.1R17.4 and 9.1R18.5. Download Customers can access the patch and updated External Integrity Checker Tool via the standard download portal, login required. Updated External Integrity Checker Tool The latest versions of the External Integrity Checker tool uploaded to the download portal on or after 02 April may indicate additional new files. These additional new files detected are the result of Custom Sign in Page configurations which can be configured at Authentication > Signing In > Sign-In Pages. These additional new files will have a .ttc extension and represent THTML data for Custom Sign in pages. The number of additional new files will vary depending on how the Customer Sign in Pages are configured. These are dynamic files and should be considered False Positive. The new external ICT should only be leveraged once the latest patches have been applied and will generate a significant number of false positives on any previous Connect Secure version. The new external ICT is only applicable to the latest Ivanti Connect Secure vulnerability patch release. The external ICT provides customers with a decrypted snapshot of their appliance, guidance on interpreting the decrypted snapshot can be found HERE. The internal ICT is remains unchanged in behavior and does not provide a decrypted snapshot for customers' review. FAQ Are you aware of any active exploitation of the vulnerabilities? We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure. If these vulnerabilities were used in an attack against a customer, the box would crash, and the service to end users would be disrupted. What should I do if I need help?  If you have questions after reviewing this information, you can log a case and/or request a call via the Success Portal  Article Number : 000091543 Article Promotion Level Normal ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================