An emergency vulnerability has emerged in Ivanti products and appliances, and it has sent many service providers, especially those in the federal space, in a rush to close their gaps and respond as best they can.

This article covers the incident, the government’s response, and what it means for service providers.

The latest findings of the last two weeks highlight some vulnerabilities associated with Ivanti products that capture most of the attention of cybersecurity entities such as the Cybersecurity and Infrastructure Security Agency (CISA).

An XML external entity injection (XXE) vulnerability (CVE-2024-22024) has been found,  affecting supported versions of Ivanti Connect Secure, ZTA, and Policy Secure products. Ivanti issued software updates on February 8, 2024, mitigating this and many other reported vulnerabilities:

• CVE-2024-21888
• CVE-2024-21893
• CVE-2023-46805
• CVE-2024-21887

In addition, the company reports active exploitation of Ivanti Connect Secure and Ivanti Policy Secure appliances, broad usage, and against the international environment for businesses of small to large size, including Fortune 500 companies. The vulnerabilities have compromised about 1,700 devices, while about 7,000 are still vulnerable. In mitigation, Ivanti has provided workarounds and advised the user to monitor network traffic for malicious activity while waiting for patching.

Given these critical vulnerabilities and their widespread exploitation, CISA has issued Emergency Directive 24-01, requiring all federal civilian agencies to implement specific actions immediately and vendor-provided mitigation guidance to address the vulnerabilities in these Ivanti appliances. This directive further points out the high risks these vulnerabilities pose to federal government systems and, by extension, those systems of all entities that use the mentioned products. This directive from CISA underscores the urgency for adopting mitigation measures to protect against potential compromise.

According to Ivanti, individuals and organizations using its products should comply with the recommendations put forward by Ivanti and CISA, apply the relevant patches and updates, and watch out for compromise.

What Is CISA Emergency Directive 24-01?

Emergency Directive 24-01 addresses the urgent need to mitigate vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure appliances due to widespread and active exploitation by malicious cyber threat actors. This directive is primarily aimed at Federal Civilian Executive Branch (FCEB) agencies, but CISA strongly encourages all organizations using these Ivanti products to implement the recommended mitigations.

The directive was issued in response to two specific vulnerabilities, CVE-2023-46805 and CVE-2024-21887, which allow attackers to move laterally across networks, perform data exfiltration, and establish persistent system access–essentially, to behave as Advanced Persistent Threats (APTs). Given the significant risks posed by these vulnerabilities to the security of federal systems and the broader community, the directive mandates immediate, specific actions and the implementation of vendor-provided mitigation guidance for these Ivanti appliances.

As part of the directive, federal agencies must disconnect affected Ivanti products from their networks and follow a series of steps to bring them back into service securely. These steps include: 

• Exporting configuration settings
• Performing a factory reset
• Rebuilding the device
• Upgrading to a supported software version, and 
• Reimporting their configuration. 

Additionally, agencies must revoke and reissue any connected or exposed certificates, keys, and passwords.

CISA’s actions in response to the directive include providing templates for reporting agency actions, continuing efforts to identify instances and potential compromises, offering technical assistance to agencies, and providing a comprehensive report on the cross-agency status of the directive’s implementation. 

CISA also updated its guidance to include new vulnerabilities and software updates provided by Ivanti, highlighting the need for continuous vigilance and implementing software updates and mitigations as they become available. This provides guidance for dealing with a newly disclosed XXE vulnerability (CVE-2024-22024).

How Does This Impact Cloud Providers Under FedRAMP?

Cloud Service Providers must review and implement actions described in Emergency Directive 24-01 if they maintain federal information, ensuring compliance with FedRAMP requirements. Actions include uploading responses to a FedRAMP reporting template in the incident response folder of their FedRAMP secure repository by specified deadlines. Upon action completion, CSPs must notify agency customer Authorizing Officials and the FedRAMP PMO. This ensures CSPs align with FedRAMP and CISA directives to mitigate vulnerabilities effectively.

What Are XML External Entity Attacks?

XML External Entity (XXE) injection is a type of attack against applications that parse XML input. This attack occurs when an XML parser processes input containing a reference to an external entity (a document outside the current page’s scope). If an application is vulnerable to XXE attacks, attackers can exploit this by including malicious content in the XML data, attempting to trick the parser into executing unintended operations. These operations can involve accessing local or remote content, interacting with other systems in a way that can compromise security, or even execute arbitrary code depending on the application’s configuration and the environment.

The core of an XXE attack is the XML feature that allows an XML document to define entities, which are shortcuts to larger content blocks. These entities can be defined within the document or as references to external sources. In a typical XXE attack, an attacker would define or manipulate these entities in a way that causes the XML parser to access unauthorized resources.

XXE vulnerabilities can lead to various impacts, such as:

• Disclosure of confidential data by including file references in the entity the XML parser will access and include in the processed output.
• Denial of Service (DoS), by referencing entities that consume system resources excessively.
• Server-side request forgery (SSRF) makes the XML parser send requests to unintended locations.
• Port scanning and other internal network reconnaissance from the perspective of the application’s server.

Mitigating XXE attacks typically involve:

• Disabling external entities in the XML parser configuration.
• Using less complex data formats such as JSON, which do not support document type definitions and are not vulnerable to XXE attacks.
• Keeping software and libraries up to date to ensure any security patches for known XXE vulnerabilities are applied.
• Validating and sanitizing all input data ensures it does not contain malicious XML entities.

Developers and security teams should be aware of XXE vulnerabilities, especially when working with applications that accept XML input, to protect against potential data breaches and system compromises.

Respond Quickly to the Latest Vulnerabilities with Lazarus Alliance

If you are a CSP or other provider handling the fallout of the Ivanti security vulnerability, particularly in the federal space, then Lazarus Alliance can help with extensive services including:

• FedRAMP
• StateRAMP
• NIST 800-53
• FARS NIST 800-171
• CMMC
• SOC 1 & SOC 2
• HIPAA, HITECH, & Meaningful Use
• PCI DSS RoC & SAQ
• IRS 1075 & 4812
• ISO 27001, ISO 27002, ISO 27005, ISO 27017, ISO 27018, ISO 27701, ISO 22301, ISO 17020, ISO 17021, ISO 17025, ISO 17065, ISO 9001, & ISO 90003
• NIAP Common Criteria – Lazarus Alliance Laboratories
• And dozens more!