April 8, 2024 at 10:54AM
Researchers at the Shadowserver Foundation discovered thousands of internet-exposed Ivanti VPN appliances vulnerable to a recently disclosed CVE-2024-21894, enabling remote code execution. Ivanti released updates for this and other vulnerabilities, urging users to update instances. ShadowServer found over 16,000 affected Ivanti VPN instances, mostly in the US and Japan, with uncertainty around actual targets and patch impact.
Key Takeaways from the Meeting Notes:
– Researchers at the Shadowserver Foundation have discovered thousands of Ivanti VPN appliances exposed over the internet, potentially affected by multiple vulnerabilities, including the recently disclosed CVE-2024-21894, a high-severity heap overflow bug in the IPSec component of Ivanti Connect Secure and Policy Secure.
– Ivanti has released software updates to address this flaw and three other vulnerabilities, urging all users to update their instances, although there have been no reported exploits of these bugs at the time of disclosure.
– ShadowServer’s internet scans identified over 16,000 vulnerable Ivanti VPN instances potentially impacted by CVE-2024-21894, with approximately 10,000 internet-accessible Ivanti Connect Secure and Policy Secure instances vulnerable as of April 7.
– The majority of the vulnerable appliances are located in the US, Japan, the UK, France, Germany, China, Canada, and India.
– There is uncertainty regarding the actual number of Ivanti VPNs versus honeypots, as well as whether the observed decrease in instances was due to patching.
– Ivanti has experienced zero-day attacks, leading to security response challenges and government disconnection instructions, prompting the company to announce a makeover of its entire cybersecurity organization.
These key points demonstrate the severity of the vulnerabilities affecting Ivanti VPN appliances and the urgency for users to apply necessary software updates to mitigate potential risks.