new vulnerabilities in Ivanti products
April 2, Ivanti
about the closure of four new vulnerabilities in the Ivanti Connect Secure and Ivanti Policy Secure network gateways. Of these, the most dangerous is the problem that has received the identifier
. A bug in the IPSec component causes a heap overflow under certain conditions. As a result, a potential attacker could send a crafted data packet to a vulnerable server and cause either a denial of service or, under certain conditions, execution of arbitrary code.
According to the developer, this vulnerability was not exploited at the time of discovery, which distinguishes the new problem from a set of previous ones discovered back in early January. Then critical vulnerabilities were found during the investigation of a real attack, and the developer was unable to release a patch for an actively exploited problem for quite a long time. This even led to a rather unconventional recommendation from the American government agency CISA: first disable vulnerable VPN servers altogether, and then deal with the presence or absence of a patch. The difficult security environment for systems designed to protect the corporate perimeter from unauthorized access also led to the publication of an open letter from the CEO of Ivanti, in which he promised to reconsider its approach to security.
Three more fresh vulnerabilities will not lead to a guaranteed hacking of the network gateway, but will also allow for an effective DoS attack. In total, three of the four problems relate to the IPSec module, and one more relates to the Single Sign-On functionality. Three days after the patch was released online could be detected more than 16 thousand vulnerable Connect Secure servers. The January vulnerabilities were more serious: a pair of vulnerabilities discovered then made it possible to bypass the authentication system and execute arbitrary code on the server. The lack of a patch in the face of an active attack put Ivanti VPN server operators in a difficult position: not only did they have to patch vulnerable servers when possible, but they also had to ensure that they had not previously been hacked. Users were offered workarounds to limit the functionality of Connect Secure/Policy Secure, which in some cases were circumvented. The standard utility for checking the integrity of the server code seemed to guarantee that it did not have a hacker’s web shell installed, but it turned out that this was not the case in all cases. Later It revealedthat CISA also used Ivanti solutions and was also affected by the hack.
This is a difficult situation for any software developer whose vulnerabilities affect customers. It was necessary to somehow respond to reputational costs, and last week Ivanti CEO Jeff Abbott made such an attempt. announcing in a letter to clients “a new era” in the company. In the letter, Ivanti promises to make the topic of product security central by reviewing absolutely all development processes. In addition to these general statements, there are also several specific promises that many developers will generally benefit from keeping.
Specifically, Ivanti's CEO talks about the Secure-by-Design approach. This means the introduction of mechanisms for checking product safety at all stages of development, starting with design. It is promised to introduce code isolation technologies and exploit protection systems – even if some vulnerability can be exploited, this should not lead to the compromise of the entire network gateway. It is rightly pointed out that the process of installing patches and monitoring the security of the solution should be simplified for users. Internal processes for finding errors in code should be complemented by the involvement of external expertise. The letter is not without buzzwords: it also mentions a certain “AI-based interactive voice support system.” Separately, the need to make work on the security of solutions transparent to clients is discussed.
Ivanti is not the first, nor will it be the last, company to revise its design to make its product safer. It is obvious that previously the security of solutions was not the main priority for this developer. Ivanti Product Quick Review Conducted in February revealed using an outdated CentOS 6.4 distribution that has not been updated since 2020, OpenSSL packages from 2017 and Python 2.6.6 from 2010. It was then that it was discovered that the built-in integrity checking system did not actually check a large number of directories where attackers could theoretically hide malicious code. It will not be easy to move from this state to the desired secure-by-design, but the direction, of course, chosen by this vendor is the right one.
What else happened
Two zero-day vulnerabilities discovered and closed with a fresh patch in Google Pixel smartphones.
Latest publication from Kaspersky Lab researchers analyzes development of software for illegal surveillance, so-called stalkerware.
Fresh vulnerability discovered in D-Link NAS devices. The combination of a default password and a method of executing arbitrary code was observed in 92 thousand devices worldwide at the time of publication of the report. What's even sadder is that there will be no patch for this issue, since the affected devices are no longer supported by the manufacturer, it recommends replacing them for something fresher.
Interesting example a simple vulnerability in the system that provides electronic check-in at Ibis hotels. Guests have the opportunity to access the room through the terminal at the entrance, where they need to enter the reservation code. If you enter several hyphens in a row instead of a code, the terminal displays a list of current reservations, and for each of them a code is displayed to open the door.
Fresh study American and Chinese scientists show how it is possible to reconstruct a picture from a CCTV camera by analyzing its electromagnetic radiation.
