Here’s what’s clear about the current state of cybersecurity of Ivanti’s VPN equipment: It has been largely vulnerable to cyberattacks, and threat actors are taking advantage of it. It is up to corporate cyber teams to decide what comes next.
So far, Ivanti has revealed five VPN flaws in 2024, most exploited as zero-days, with two publicly announced weeks before the patches became available. Some critics, such as cybersecurity researcher Jake Williams, see Ivanti’s excess vulnerabilities and the company’s slow response to incidents as an existential threat to the company.
Williams attributes Ivanti’s current problems to years-long negligence in secure coding and security testing. To recover, Ivanti would have to both overcome technical debt, according to Williams, and somehow rebuild trust with its customers. It’s a task Williams adds he doubts Ivanti will be able to complete.
“I don’t see how Ivanti survives as an enterprise firewall brand,” Williams tells Dark Reading, a sentiment he has widely repeated on social media.
A more generous view of the recent spate of zero-day disclosures is that it’s a positive sign that Ivanti is taking a long, hard look at its cybersecurity.
“Ivanti is digging deep into its products to find, fix and reveal vulnerabilities, and it deserves some credit for that,” says John Gallagher, vice president of Viakoo Labs.
When asked for comment, Ivanti postponed Dark Reading to February 8 blog post regarding its most recent disclosure.
Ivanti’s troubles fall to the cyber teams
Ultimately, enterprise cybersecurity teams will have to choose between patching or following the advice of CISA completely unplug your Ivanti VPN equipment. They must also explain the decision to superiors.
Patching is a reasonable response, but Ivanti’s patching program has been delayed due to the aforementioned pair of zero-day vulnerabilities disclosed on January 10 (CVE-2024-21887 and CVE-2023-46805). These ended up being under active exploit unpatched for 20 days before receiving patches on January 30th. But there was also more bad news: the Ivanti update also included Fixes for two additional previously undisclosed bugs (CVE-2024-21888 and CVE-2024-21893), the latter already being actively exploited in the wild.
That was enough for CISA to issue a mandate on February 1 for federal agencies to disconnect Ivanti products from their systems.
A fifth Ivanti vulnerability was discovered on February 9, identified as CVE-2024-22024. In the end, Ivanti credited watchTowr with the discovery, although it initially claimed that internal teams had found the bug, sowing some confusion among the ranks of bug hunters.
Further undermining confidence in Ivanti’s security practices is the fact that the initial bugs on January 10th were supposed to be updated on January 22nd, but Ivanti pushed the release date back to the 30th.
“These devices need their software to be designed as seriously as this threat requires,” says John Bambenek, president of Bambenek Consulting. “When you publish zero-day patch programs, you have to meet these goals, especially in a situation like this.”
Meanwhile, Ivanti’s persistent flaws have attracted crowds of cybercriminals, including Chinese state-sponsored threat actors. And “Shadowserver” computer researcher Pitor Kijewski confirmed to Dark Reading that so far there are at least 47 IPs attempting to exploit more Ivanti VPN bug recently revealed.
There’s some confusion here too: Ivanti released the following statement to Dark Reading in response to the Shadowserver report: “We have no indication that CVE-2024-22024 has been exploited in the wild.”
Viakoo’s Gallagher gives Ivanti poor marks for its incident response so far.
“Ivanti recovery will need to address both the technical aspects of these attacks and the trust/reputation damage this has caused them,” he says. “On both fronts they stumbled badly.”
Ivanti promises to correct defects, cautious customers
In a Feb. 8 advisory about the latest Connect Secure and Policy Secure Gateways bugs, Ivanti assured customers that it is now conducting a full audit of its code.
“Our team has been working around the clock to aggressively review all code and is particularly focused on bringing full resolutions to the issues affecting Ivanti Connect Secure (formerly Pulse Connect Secure), Ivanti Policy Secure and the ZTA gateways,” the company said.
As Ivanti’s cybersecurity problems mount, the lesson for IT teams is that just reactively patching edge devices isn’t enough, according to Patrick Tiquet, vice president of security and architecture at Keeper Security.
“It is critical that vendors prioritize identifying and resolving issues within their solutions,” says Tiquet. “But organizations should regularly engage in pen-testing of their products and services to proactively identify vulnerabilities before someone else does.”
Only time will tell whether Ivanti will be able to win back customers who have already left and reassure those who remain, but in the meantime Bambanek advises corporate security teams to remain cautious.
“If I were a CISO, I would consider Ivanti for a few years until it proved itself again,” he adds.