{"id":55231,"date":"2024-02-02T15:24:06","date_gmt":"2024-02-02T15:24:06","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/35482\/Federal-Agencies-Have-Until-Feb.-3-To-Disconnect-Ivanti-VPNs.html"},"modified":"2024-02-02T15:24:06","modified_gmt":"2024-02-02T15:24:06","slug":"federal-agencies-have-until-feb-3-to-disconnect-ivanti-vpns","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/federal-agencies-have-until-feb-3-to-disconnect-ivanti-vpns\/","title":{"rendered":"Federal Agencies Have Until Feb. 3 To Disconnect Ivanti VPNs"},"content":{"rendered":"
<\/div>\n

UPDATE<\/strong><\/p>\n

The Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday issued a supplemental directive<\/a> on the high-severity flaws discovered over the past several weeks in Ivanti Connect Secure and Policy Secure VPN products, calling for federal civilian executive branch (FCEB) agencies to disconnect all affected devices by early Saturday morning.<\/p>\n

CISA\u2019s directive was on the heels of Ivanti releasing a Jan. 31 notice to its customers i<\/a>n which it released patches for all known vulnerabilities, including fixes for CVE-2024-21893<\/a> \u2014 a new zero-day flaw exploited in the wild \u2014 and CVE-2024-21888<\/a>, a bug the company said has not impacted any customers. Ivanti released the patches after receiving criticism for a slow rollout, but did so only for some versions. The rest of the patches will be released on a staggered schedule over the next several weeks.<\/p>\n

Security pros said the supplemental directive issued by CISA was mainly in response to threat actors targeting earlier discovered zero-days in Ivanti VPN appliances exploiting CVE-2023-46805<\/a>, an authentication bypass, and CVE-2024-21887<\/a>, a command injection security flaw.<\/p>\n

\u201cCISA issues emergency directives in situations where there\u2019s a clear and present danger to U.S. federal agencies and national security, explained Callie Guenther, senior manager, cyber threat research at Critical Start. \u201cThe decision to issue such a directive for Ivanti Connect Secure and Ivanti Policy Secure VPN products was driven by the widespread and active exploitation by multiple threat actors<\/a> of critical vulnerabilities, CVE-2023-46805 and CVE-2024-21887.\u201d<\/p>\n

Guenther said these vulnerabilities let attackers perform actions such as lateral movement across networks, data exfiltration, and establishing persistent system access, posing significant risks to federal civilian enterprises. Non-federal agencies and private-sector organizations are urged by CISA to adopt the actions outlined in the directive because of the potential impact of these vulnerabilities beyond the federal government, added Guenther.<\/p>\n

\u201cAlthough the directive is specifically binding on federal civilian executive branch agencies, the underlying security concerns are relevant to all organizations using Ivanti products,\u201d said Guenther.<\/p>\n

Along with the moves by CISA and Ivanti, SC Media reported yesterday<\/a> that since initially writing<\/a> about the the most pressing Ivanti vulnerabilities<\/a> on Jan. 12, Mandiant identified broad exploitation activity both by the original threat actor \u2014 UNC5221 \u2014 as well as various other uncategorized threat groups. And, in a blog post Jan. 31<\/a>, Mandiant said it now classifies UNC5221 as a suspected China-nexus espionage threat actor.<\/p>\n

In its supplement directive, CISA said civilian federal agencies are required to take the following actions:<\/p>\n

\n