February 9, 2024 at 04:09PM
Ivanti announced patches for a high-severity vulnerability, CVE-2024-22024, affecting enterprise VPN and network access products. The XML external entity (XXE) issue in SAML component of Connect Secure, Policy Secure, and ZTA appliances could allow unauthorized access to restricted resources. Patches addressing the flaw were included in various versions. No evidence of exploitation in the wild has been found. Users are urged to apply the latest patches.
Based on the meeting notes, the key takeaways are:
1. Ivanti has announced patches for a high-severity vulnerability (CVE-2024-22024) impacting enterprise VPN and network access products, particularly affecting certain versions of Ivanti Connect Secure, Policy Secure, and ZTA gateway appliances. The CVSS score for this vulnerability is 8.3, and it is described as an XML external entity (XXE) issue in the SAML component.
2. The successful exploitation of this bug could allow an unauthenticated attacker to access certain restricted resources.
3. The vulnerability only affects a limited number of supported versions, and patches have been included in specific versions of Connect Secure, Policy Secure, and ZTA gateways.
4. Patches released on January 31 to address two zero-day vulnerabilities exploited in attacks against government and military entities, along with four other security defects in its enterprise VPN products, also mitigate CVE-2024-22024.
5. Although there is no evidence of the vulnerability being exploited in the wild, Ivanti urges customers to ensure they have the latest patches. Customers who applied the January 31 or February 1 patches and factory reset their VPN appliances do not need to perform another factory reset.
6. There is discrepancy in claims about how the vulnerability was identified, with Ivanti stating it was identified internally while WatchTowr claims its researchers found it and reported it to Ivanti on February 2.
These are the key points to take from the meeting notes regarding the vulnerability and the corresponding patches announced by Ivanti.