Security Update for Ivanti Connect Secure and Ivanti Policy Secure Gateways
At Ivanti, our top priority is upholding our commitment to deliver and maintain secure products for our customers. Our team has been working around the clock to aggressively review all code and is singularly focused on bringing full resolution to the issues affecting Ivanti Connect Secure (formerly Pulse Connect Secure), Ivanti Policy Secure and ZTA gateways.
We have been following our product incident response process and rigorously assessing our products and code alongside world-class security experts and collaborating with the broader security ecosystem to share intelligence. We are committed to communicating findings openly with customers, consistent with our commitment to security and responsible disclosure.
As part of the ongoing investigation, we discovered a new vulnerability as part of our internal review and testing of our code, which was also responsibly disclosed by watchTowr. We are reporting it as CVE-2024-22024. A patch is now available for Ivanti Connect Secure (versions 9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3 and 22.6R2.2), Ivanti Policy Secure (versions 9.1R17.3, 9.1R18.4 and 22.5R1.2) and ZTA gateways (versions 22.5R1.6, 22.6R1.5 and 22.6R1.7). For users of other supported versions, the mitigation released on 31 January successfully blocks the vulnerable endpoints until remaining patches are released.
Update 14 Feb: A patch is available now for Ivanti Connect Secure (versions 9.1R15.3, 9.1R16.3, 22.1R6.1, 22.2R4.1, 22.3R1.1 and 22.4R1.1) and Ivanti Policy Secure (versions 9.1R16.3, 22.4R1.1 and 22.6R1.1). A build is now available for all supported versions.
It is important for customers to know:
- We have no evidence of this vulnerability being exploited in the wild as it was found during our internal review and testing of our code, and responsibly disclosed by watchTowr. Previously released patches have been successful at blocking the threat actor’s known activities.
- CVE-2024-22024 only applies to a limited number of versions. However, all customers using Ivanti Connect Secure and Ivanti Policy Secure should promptly apply the patch for their supported version, when available, regardless of whether they installed prior patches from 31 January and 1 February, as the patch resolves all previously disclosed vulnerabilities.
- Customers who applied the patch released on 31 January or 1 February, and completed a factory reset of their appliance, do not need to factory reset their appliances again.
- These vulnerabilities do not impact any other Ivanti products or solutions.
- Customers who have applied this newly released patch do not need to apply the mitigation or the patches released on 31 January and 1 February.
- We strongly advise customers to run Ivanti’s previously released External Integrity Checker Tool in combination with best-practice security monitoring.
We know that this has been a difficult time for our customers, and we greatly appreciate their partnership and support as we work to resolve this situation. We have been actively engaged with customers during this process and are committed to releasing patches and providing clear instructions for remediation when they are available. We are actively working to ensure that our Security Advisories and Knowledge Base articles are not only technically detailed, but also clearly outline important information, including immediate actions for customers to take.
We continue to invest significant resources to ensure that all our solutions continue to meet our own high standards and we will be applying learnings from this issue to further enhance our products and policies, as well as sharing those learnings with our customers.
More information on this vulnerability and detailed instructions on patch availability and how to mitigate the vulnerabilities can be found in this Security Advisory.
Our Support team is always available to help customers and partners should they have any questions. Cases can be logged via the Success portal (login credentials required).
Our team has been working around the clock to aggressively review our code and products alongside third-party security experts. We initially flagged the code in question during our internal review. Shortly after, watchTowr contacted us through our responsible disclosure program regarding CVE-2024-22024, which we should have acknowledged. We appreciate watchTowr and their assistance in validating the findings.
Want to stay up to date on Ivanti Security Advisories? Paste https://www.ivanti.com/blog/topics/security-advisory/rss into your preferred RSS reader / functionality in your email program.