Ivanti Connect Secure and Ivanti Policy Secure XML eXternal Entity (XXE) Vulnerability (CVE-2024-22024)

Qualys Security Advisory

Ivanti has warned users to patch an XML external entity vulnerability impacting Connect Secure, Policy Secure, and ZTA gateways. CVE-2024-22024 may allow an attacker to access certain restricted resources without authentication.

Ivanti has mentioned in the advisory, “We have no evidence of this vulnerability being exploited in the wild as it was found during our internal review and testing of our code.”

Ivanti Connect Secure is a VPN solution that provides secure and controlled access to corporate data and applications for employees, partners, and customers. It allows remote and mobile users to access corporate resources from any web-enabled device.

Ivanti Policy Secure (IPS) is a network access control (NAC) solution providing access to authorized and secured users and devices. It’s a central policy management server that validates the user’s identity and determines the endpoint’s security compliance.

Affected Versions

  • ZTA version 22.6R1.3
  • Ivanti Policy Secure versions 22.5R1.1
  • Ivanti Connect Secure versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, and 22.5R1.1

Mitigation

Customers are advised to upgrade to the following patched versions:

  • ZTA gateways versions 22.5R1.6, 22.6R1.5 and 22.6R1.7
  • Ivanti Policy Secure versions 9.1R17.3, 9.1R18.4 and 22.5R1.2
  • Ivanti Connect Secure versions 9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3 and 22.6R2.2

Ivanti states, “Customers who applied the patch released on 31 January or 1 February and completed a factory reset of their appliance do not need to factory reset their appliances again.”

For more information, please refer to Ivanti Security Advisory (000090576).

Qualys Detection

Qualys customers can scan their devices with QID 731145 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://forums.ivanti.com/s/article/CVE-2024-22024-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US
https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

READ MORE