Nonetheless, on January 31 Ivanti disclosed two extra vulnerabilities that had been found whereas investigating the earlier two flaws: a privilege escalation vulnerability tracked as (CVE-2024-21888) and a server-side request forgery within the SAML element (CVE-2024-21893). The latter can permit attackers to entry restricted sources with out authentication and was additionally exploited as a zero-day.
“On the time of publication, the exploitation of CVE-2024-21893 seems to be focused,” the corporate mentioned in its up to date information base article. “Ivanti expects the menace actor to vary their conduct and we count on a pointy improve in exploitation as soon as this data is public — much like what we noticed on 11 January following the ten January disclosure.”
Extra steps to mitigate danger from Ivanti vulnerabilities required
As of February 1, fastened variations can be found for all impacted merchandise. Nonetheless, CISA is asking businesses to export their configuration, rebuild the affected units by performing a manufacturing facility reset and updating the firmware after which importing the configuration again, and take away the beforehand utilized mitigation xml file.
It’s additionally necessary to revoke and reissue any probably uncovered certificates, keys, and passwords, together with the admin allow password, the saved utility programming interface (API) keys, the passwords of any native person outlined on the gateway, together with service accounts used for auth server configuration.
Area accounts related to the affected merchandise may additionally have been compromised, so businesses ought to reset the passwords for on premise accounts and revoke Kerberos tickets in addition to any tokens for cloud accounts in hybrid deployments. The machine tokens of cloud-joined units must also be reset by disabling these units.