Ivanti CEO Jeff Abbott this week said his company will completely revamp its security practices even as the vendor revealed another new set of bugs in its remote access products Ivanti Connect Secure and Policy Secure, full of vulnerability.
In an open letter to customers, Abbott pledged a series of changes the company will make in the coming months to transform its security operating model following the relentless barrage of bug reports since January. The promised solutions include a complete overhaul of Ivanti’s design, security and vulnerability management processes and the implementation of a new secure-by-design initiative for product development.
An in-depth review
“We challenged ourselves to look critically at every step of our processes, and every product, to ensure the highest level of protection for our customers,” said Abbott, in his statement. “We have already begun to apply what we have learned from recent incidents to make immediate improvements to our engineering and safety practices.”
Some of the specific steps include integrating security into every stage of the software development lifecycle and integrating new isolation and anti-exploit features into its products to minimize the potential impact of software vulnerabilities. The company will also improve its internal vulnerability detection and management process and increase incentives for third-party bug hunters, Abbott said.
Additionally, Ivanti will make more resources available to customers for finding vulnerability information and associated documentation and is committed to increased transformation and information sharing with customers, it added.
How much these commitments will help to stem growing customer disenchantment with Ivanti remains unclear given the company’s recent history with security. In fact, Abbot’s comments came one day after Ivanti’s revelation four new bugs in the Connect Secure and Policy Secure features gateway technologies and patches released for each.
The disclosure followed similar incident less than two weeks ago which involved two bugs in Ivanti and Neuron’s Standalone Sentry products for ITSM. Ivanti has so far disclosed a total of 11 vulnerabilities (including this week’s four) in its technologies since January 1st. Many of these were critical flaws (at least two were zero-day) in the company’s remote access products, which attackers, including authors of advanced persistent threats such as “Goblin Magnet,” Have exploited on a mass scale. Concern about the risk of serious breaches by some of these bugs prompted the US Cybersecurity and Infrastructure Security Agency (CISA) in January to order all civilian federal agencies to take their Ivanti systems offline and do not reconnect the devices until the problem is completely resolved.
Security researcher and IANS research faculty member Jake Williams says the vulnerability revelations have raised serious questions from Ivanti customers. “Based on the conversations I’m having, especially with Fortune 500 customers, I honestly think it’s a little bit too little too late,” he says. “The time to make this commitment publicly was more than a month ago.” There’s no doubt that problems with the Ivanti (formerly Pulse) VPN appliance are causing CISOs to question the security of many other Ivanti products, he says.
A new set of 4 insects
The four new bugs disclosed by Ivanti this week included two heap overflow vulnerabilities in the IPSec component of Connect Secure and Policy Secure, both of which the company characterized as high-severity risks to customers. One of the vulnerabilities, identified as CVE-2024-21894, gives unauthenticated attackers the ability to execute arbitrary code on affected systems. The other, assigned as CVE-2024-22053, allows an unauthenticated, remote attacker to read contents from system memory under certain conditions. Ivanti described both vulnerabilities as allowing attackers to send malicious requests to trigger denial-of-service conditions.
The other two flaws, CVE-2024-22052 and CVE-2024-22023, are two medium-severity vulnerabilities that attackers can exploit to cause denial-of-service conditions on affected systems. Ivanti said that as of April 2, she was not aware of any exploit activity in circulation that targeted the vulnerabilities.
The constant stream of bug reports has raised concerns about the risk Ivanti products pose to more than 40,000 customers worldwide, some of whom have expressed frustration forums like Reddit. Just two years ago, Ivanti press releases claimed 96 of the Fortune 100 companies as customers. In the latest release that number has dropped nearly 12% to 85 companies. While the attrition may have to do with factors other than just safety, some of Ivanti’s rivals have begun to sense an opportunity. Cisco, for example, has started offering incentives — including a 90-day free trial — to try to convince Ivanti’s VPN customers to migrate to its Secure Access platform so they can “mitigate the risk” from Ivanti products.
Acquisition problems?
Eric Parizo, an analyst at Omdia, says that at least some of Ivanti’s challenges have to do with the fact that the company’s product portfolio is the sum of numerous past acquisitions. “The original products were developed at different times by different companies for different purposes and using different methods. This means that the quality of the software, especially with regards to software security, can be significantly uneven,” he says.
Parizo believes that what Ivanti is doing now with its commitment to improving safety processes and procedures at all levels is a step in the right direction. “I would also like to see the seller compensate their customers for damages directly resulting from these vulnerabilities, as this will help restore confidence in future purchases,” he says. “Perhaps the only saving grace for Ivanti is that customers are so accustomed to these types of events, with cybersecurity vendors having suffered countless similar incidents in recent years, that customers are more likely to forgive and forget.”