We want to thank our customers for their support and patience over the last few weeks as we navigate the recent issues affecting Ivanti Connect Secure, Policy Secure and ZTA gateways. We know that this has been a challenging time for our customers, and our team has been working around the clock, alongside world-class security experts, to bring this issue to full resolution. We will not stop until we are confident our products and our customers are protected and these vulnerabilities have been fully resolved.

As of 14 February, Ivanti has a build available for all supported versions. Ivanti strongly urges all customers to immediately remove the mitigation and apply the patch.

From day one, we have been committed to taking a customer-first approach. We have prioritized releases of mitigation and patches as quickly as possible, while also continuing to strengthen our proactive measures to combat the increasingly sophisticated and aggressive threat environment our industry is facing. As we work to support our customers, we have strived to put continuous and direct communications at the forefront. We have also spent a great deal of time listening and incorporating feedback we have heard to continually improve our communications.  

Regrettably, one consistent piece of feedback we have received is that certain misinformation currently circulating in the marketplace from media and others is causing a large degree of confusion. To address this, we have prepared the below FAQ which clarifies that misinformation, as well as outlining the facts around some questions we have been getting.

We will continue to update this FAQ as needed, always with the goal of informing and protecting our customers.

Key Frequently Asked Questions

New: Is there any action for customers to take following the 27 February and 29 February advisories?

For customers who have already completed a successful factory reset (hardware) or deployed a new build (virtual) and patched their appliance(s), the only action is to continue to follow Ivanti and Mandiant’s guidance to run the internal and updated external ICT, along with continuous monitoring which should be updated to reflect these evolving techniques.

Ivanti and our security partners are not aware of any instances of successful threat actor persistence following implementation of the security updates and factory resets (hardware)/ new build (virtual) recommended by Ivanti.

For customers that have not yet patched, they should immediately follow the instructions provided in the Knowledge Base Article.

Again, if you previously followed Ivanti’s instructions and continue to have a clean ICT scan, you do not need to complete any additional factory resets or deploy a new build (for virtual appliances). 

New: Is there a new vulnerability or compromise that was not previously disclosed?

No, there is not a new CVE. Ivanti, and our security and government partners are not aware of any instances of successful threat actor persistence following implementation of security updates and factory resets.

The new activity described by Ivanti, Mandiant and CISA relates to limited attempts observed to maintain persistence through factory reset that were unsuccessful, and a potential lab-based technique developed by CISA that they believe could be used to attempt persistence. Neither of these have been used successfully in the wild.

It is important to note that, based on the evidence presented and further analysis by our team, we believe that the technique CISA identified in its technical lab would not enable a threat actor to successfully achieve undetected persistence in a live customer environment.

New: Why did Ivanti conclude that the technique CISA identified in its technical lab could not enable successful persistence in a live customer environment?

Ivanti and its outside security experts assessed CISA’s technical findings and determined that if it were deployed on a real-life unpatched customer environment, the connection would be lost to Ivanti Connect Secure, so it could not be performed remotely.  We therefore believe that this risk of persistence is not valid in an actual customer deployment.

You can read more about the JCSA released on February 29 here.

New: If persistence was unsuccessful, why did Ivanti and Mandiant release this information?

We released relevant information on 27 February regarding evolving threat actor techniques that we are monitoring, so that defenders can take steps to further protect themselves against a highly sophisticated and aggressive attack. Customers can factor this information into their own continuous monitoring, even though to date these techniques have not been deployed successfully in the wild.

We are committed to providing information and tools to ensure our customers are protected and also remain engaged with our security and government partners to this end.

New: Is CISA recommending that Ivanti customers unplug their machines?

CISA’s has never instructed organizations to permanently take Ivanti systems out of production. CISA’s original directive to federal agencies was misinterpreted by media who only reported on the first step of the instructions. CISA made updates to their directive to correct this, and then subsequently updated again on February 9 to make it absolutely clear that you can turn the product on after patching. 

CISA’s 29 February advisory compiles prior research, as well as a lab-based technique that they believe could be used to attempt persistence and advises customers to be aware of the risks. It is important to note that we do not believe the activity outlined in CISA’s report could be performed remotely.

Is it true that CISA told federal agencies to replace Ivanti products?

No. CISA’s directive never instructed agencies to permanently take Ivanti systems out of production. CISA’s directive was misinterpreted by media who only reported on the first step of the instructions. CISA made updates to their directive to correct this, and then further updated last week to make absolutely clear that you can turn the product on after patching. Unfortunately, a large number of media articles did not cover the corrections, which has contributed to widespread confusion.

CISAs full instructions are consistent with our own instructions and recommendations for our customers from 31 January. We support the Emergency Directive issued by CISA on 9 February and worked with CISA to develop the content. The instructions are as follows:

  1. Take the solution out of production and look for signs that the threat actor took additional action   
  2. Factory reset, upgrade and patch   
  3. Put the appliance back into production  

Please be assured that it is standard operating procedure to take an IT system out of production to remediate or upgrade.

We recommend that customers follow Ivanti and CISAs recommendations and apply the patch.

Is it true that the Ivanti Connect Secure product is vulnerable due to old open source code? Why does the Ivanti Connect Secure product have old code in it?

The Ivanti Connect Secure product is not vulnerable due to older versions of open source code. Ivanti backports the security fixes where applicable to provide protection for the 9.x version of the product. Backporting security fixes does not change the version of the open source package, but it does provide protection from known vulnerabilities.

This process ensures the solutions we are providing to customers meet all industry standards and that known vulnerabilities are not present in our solutions.

The hardware for the 9.x version does not have enough CPU to run a newer Linux kernel and as such the kernel limitations requires this older open source code to be used. The newer 22.x version of Ivanti Connect Secure is built on a new Linux kernel that does require a more powerful CPU and as such we have introduced a new platform, the ISA, which does not have the older versions of open source code in it. 

We officially released an End of Life Notification for the 9.x hardware and software product in July 2022. At the request of customers, Ivanti continues to support and secure this product, including developing and releasing patches for all known vulnerabilities, while actively working with our customers to refresh their appliances to 22.x or migrate to the cloud with Ivanti Neurons for Zero Trust Access.

All code present in Ivanti products, including the 9.x older open source code, is clearly outlined in our attributions and SBOMs, which are available in the product documentation available on Ivanti.com.

Which products are affected?  

The issues only affect Ivanti Connect Secure, Ivanti Policy Secure and ZTA gateways.

These vulnerabilities are not present in any other Ivanti solutions.  

Were the vulnerabilities exploited? Are the numbers being reported by media true?

It is unfortunate that media reports continue to cover statements and unverified numbers from third parties that are incorrect or inflated.

We previously confirmed the initial vulnerabilities disclosed on 10 January were exploited by threat actors. While the initial impact was very limited, we saw a sharp increase in threat actor activity and security researcher scans following public disclosure of the issue, indicating global customer impact due to CVE-2023-46805, CVE-2024-21888 and CVE-2024-21893.

How does a customer know if they’ve been compromised?  

We strongly advise customers using Ivanti Connect Secure, Ivanti Policy Secure and ZTA gateways to run Ivanti’s previously released External Integrity Checker Tool (ICT) in combination with best-practice security monitoring.  

Importantly, while the ICT provides a snapshot of the current state of the appliance, it cannot necessarily detect threat actor activity if they have returned the appliance to a clean state, scan for malware, or detect other Indicators of Compromise.  

How does the ICT work? Why can’t it scan for malware or other IOCs?

The ICT tool is designed to enable customers to detect positives with high confidence without conducting a full forensic investigation. This is the intentional scope of its ability. It achieves this by comparing version-specific folder listings and file hashes against the running state of the device. This approach is highly effective at detecting whether actively running executables are in the same state as they were delivered in the general availability (GA) release of the software.

It also necessitates that files that frequently change and folders that contain ephemeral files are not given the same blanket consideration. This means that this tool should not be used as a single factor of confidence, and why Ivanti has always recommended that its results be combined with industry standard practices for logging, monitoring and diagnostics in the surrounding environment. Administrators can build confidence from their full spectrum of information available and act accordingly. 

New versions of the ICT are delivered with every group of software versions released to ensure the new files and folders do not trigger false positives. The external ICT is specifically delivered as a standalone package that does not rely on libraries or data files on the running device to achieve its functionality.

What should customers do if they have been compromised? Can Ivanti help? Will they provide IoCs?

We are committed to supporting our customers during this incident, including providing additional information to assist in the investigation in the event of a detected compromise. Ivanti is not a forensic provider and does not have the ability to fully investigate the issue for a customer. If a customer finds evidence they may have been compromised, they should engage with a forensic provider and Ivanti will provide information needed to assist in that investigation.

This includes providing unencrypted snapshots found from a failed ICT along with information on the common Indicators of Compromise (IoCs). Customers can also reference Volexity’s blog or Mandiant’s blog for additional findings of the coordinated investigation. 

Our team is continuing to provide updates and support to customers through a range of channels. If customers require additional information, they can reach out directly to Ivanti or open a ticket with support. It is recommended that customers follow fully the recovery process outlined HERE.

Is Ivanti giving appropriate credit to third party researchers who identify vulnerabilities?  

At Ivanti, our top priority is upholding our commitment to deliver and maintain secure products. Our team has been working around the clock to aggressively review our code and products alongside third-party security experts. We have also appreciated and acknowledged the support of our partners in our communications, including Mandiant, Volexity, and watchTowr.   

We recently updated our 8 February communications regarding CVE-2024-22024 to reflect watchTowr’s contribution. While we initially flagged the code in question during our internal review, shortly after and prior to our public disclosure, watchTowr contacted us through our responsible disclosure program regarding the vulnerability. We should have acknowledged this and promptly updated our communication. We appreciate watchTowr and their assistance in validating the findings. 

https://hackerone.com/ivanti/ We encourage all security researchers to follow Ivanti’s Responsible Disclosure Policy outlined here, https://www.ivanti.com/support/contact-security. Any issues identified with an Ivanti Product or Solution, including products of acquired companies (such as Pulse Secure and MobileIron products), please report them through our HackerOne. https://hackerone.com/ivanti/

What are the best avenues for customers to get the latest information from Ivanti?

We operate under a customer-first approach, and throughout this issue have strived to put continuous and direct communications with customers at the forefront. We are actively working to ensure that our Security Advisories and Knowledge Base articles are not only technically detailed, but also clearly outline important information, including immediate actions for customers to take. And our team has been working to provide continuous information and high-touch support directly with customers, in addition to our public communications. We remain committed to transparency with you as we move forward and welcome any feedback from customers on how we can do even better.  

What are you hearing from customers?  

We have been continually engaged with our customers throughout this issue. Many have been understanding and supportive, given the current threat landscape.

For those that have questions or concerns, or where confusion has been created based on media coverage or otherwise, we have been working directly with customers to make sure they have the information they need. Our goal is to continue to be the best possible partner to our customers as we navigate this issue and beyond.

We will always put the customer first. In this case, this means doubling down on our investments. And we are committed to sharing learnings with customers directly to further enhance security in this rapidly evolving threat environment.

Has Ivanti been compromised due to this vulnerability? 

No. While Ivanti does use our own tools and technology and we have no indication that we have been compromised as a company. Ivanti uses enterprise-grade technology and security partners to detect, prevent, and respond to increasingly sophisticated threat actors.