Ivanti discloses fifth vulnerability, doesn't credit researchers who found it

Trending 1 week ago

In disclosing yet different vulnerability successful its Connect Secure, Policy Secure, and ZTA gateways, Ivanti has confused nan third-party researchers who discovered it.

Researchers astatine watchTowr blogged coming astir not being credited pinch nan find of CVE-2024-22024 – nan latest successful a bid of vulnerabilities affecting Ivanti gateways arsenic nan vendor continues to create patches for supported versions.

The high-severity authentication bypass flaw only affects a constricted number of supported versions, dissimilar nan zero-days that came earlier it, and, according to Ivanti, it was discovered in-house.

"As portion of nan ongoing investigation, we discovered a caller vulnerability arsenic portion of our soul reappraisal and testing of our code, which we are reporting arsenic CVE-2024-22024," an Ivanti article reads.

However, watchTowr claims its researchers were nan first to bring Ivanti's attraction to nan bug connected February 2, publishing screenshots of nan emails exchanged betwixt it and Ivanti arsenic proof.

Commenting connected nan supra excerpt from Ivanti's advisory, watchTowr said: "Today, Friday February 9, 2024, we are pleased to spot that Ivanti has released an advisory for this vulnerability.

"We did find this remark a small curious, but possibly we person a caller group of colleagues?" It went connected to opportunity it was "surprised" astir seeing nan missing credit, but assumes it was done without malice.

The vulnerability itself, to nan delight of admins crossed nan land, isn't arsenic superior arsenic nan others that were disclosed complete nan past fewer weeks.

In summation to less versions being vulnerable, those that applied nan updated mitigation provided connected January 31 are automatically protected.

Those who applied nan spot to their devices erstwhile it became disposable and completed a mill reset of their device(s) are besides protected. There is nary grounds to propose it's been actively exploited arsenic a zero-day, Ivanti said, though that's been disputed.

The constricted versions impacted by nan vulnerability are:

  • Ivanti Connect Secure (version 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1)

  • Ivanti Policy Secure (version 22.5R1.1)

  • ZTA (version 22.6R1.3)

A speedy recap

Similar to Fortinet recently, Ivanti's been having a reliable clip pinch information of late.

  • Ivanti devices deed by activity of exploits for latest information hole
  • Ivanti releases patches for VPN zero-days, discloses 2 much high-severity vulns
  • Ivanti and Juniper Networks accused of bending nan rules pinch CVE assignments
  • Ivanti zero-day exploits detonate arsenic bevy of attackers get successful connected nan act

In mid-January came nan first reports of 2 zero-days successful Ivanti's products being exploited by attackers that were either pro-China aliases state-sponsored by Beijing.

Since then, Ivanti has continued to activity connected processing patches successful accordance pinch its staggered schedule, which is to opportunity it's processing patches for nan versions pinch nan astir users, and moving down from there. In nan meantime, it released a mitigation to support group safe while they hold for patches.

This patching schedule was expected to reason connected February 19, but successful announcing nan first spot astatine nan extremity of January, Ivanti said this has been delayed.

What it besides announced alongside nan first patch, and it would beryllium funny if it weren't truthful serious, was that successful fixing nan first 2 zero-days, it recovered different 2 vulnerabilities, 1 of which was besides exploited arsenic a zero-day.

Better yet, Ivanti besides said attackers had devised workarounds for nan mitigation it provided, truthful it was forced to make a caller 1 and this is still moving to nan champion of our knowledge.

So that's 4 large information holes successful nan abstraction of a fewer weeks… today's takes it to five.

The zero-days were nether "mass exploitation" position within days, since impervious of conception (PoC) codification was published earlier Ivanti could create patches. It was suspected astatine nan clip that 1,700 devices had backdoors implanted successful them.

Underlining nan severity of nan situation, CISA issued its second emergency directive past week instructing national agencies to disconnect nan products entirely. This followed an first advisory adding nan first 2 zero-days to its "must-patch" database nan aforesaid time Ivanti disclosed them.

The UK's NCSC was besides prompted into action today, publishing its ain advisory urging contiguous patches for each 5 Ivanti vulnerabilities. ®