Ivanti Gets Poor Marks for Cyber Incident Response

Editor's note: CISA clarified its guidance regarding Ivanti VPN appliances to explain they may be reconnected to government networks following the completion of necessary mitigations. This story has been updated to reflect CISA's Feb. 9 supplemental advisory on Ivanti products.

Here's what's clear about the current cybersecurity state of Ivanti's VPN appliances — they have been widely vulnerable to cyberattack, and threat actors are onto the possibilities. It's up to enterprise cyber teams to decide what comes next.

So far, Ivanti has disclosed five VPN flaws in 2024, most exploited as zero-days — with two of them publicly announced weeks before patches became available. Some critics, like cybersecurity researcher Jake Williams, see the glut of Ivanti vulnerabilities, and the company's slow incident response, as an existential threat to the business.

Williams blames Ivanti's current problems on years-long neglect of secure coding and security testing. To recover, Ivanti would have to both overcome that technical debt, according to Williams, while somehow building back trust with their customers. It's a task Williams adds he's dubious Ivanti will be able to pull off.

"I don't see how Ivanti survives as an enterprise firewall brand," Williams tells Dark Reading, a sentiment he has repeated widely on social media.

A more generous view of the recent spate of zero-day disclosures is that it's a positive sign Ivanti is taking a long, hard look at its cybersecurity.

"Ivanti is digging deep into its own products in order to find, fix, and disclose vulnerabilities, and deserves some credit for that," John Gallagher, vice president of Viakoo Labs says.

Asked for comment, Ivanti referred Dark Reading to its Feb. 8 blog post regarding its most recent disclosure.

Ivanti's Woes Fall On Cyber Teams

Ultimately, enterprise teams will have to choose. Cyber teams can following CISA's advice and disconnect Ivanti VPN appliances and update before they are reconnected. Or, while they're already offline for patching, they can replace Ivanti appliances altogether. They also have to explain the decision to higher-ups.

Patching is a reasonable response, but Ivanti's patching schedule was delayed for the aforementioned pair of zero-day vulnerabilities disclosed on Jan. 10 (CVE-2024-21887 and CVE-2023-46805). These ended up being under active exploit without a patch for 20 days before receiving patches on Jan. 30. But they came with more bad news: The Ivanti update also included fixes for two additional previously undisclosed bugs (CVE-2024-21888 and CVE-2024-21893), the latter of which had also already been under active exploitation in the wild.

That was enough for CISA to issue a Feb. 1 mandate for federal agencies to disconnect Ivanti products from their systems. CISA issued a clarification to the directive on Feb. 9 that Ivanti VPN appliances may be reconnected to government networks once they are sufficiently patched, and in some cases, reset to factory settings.

A fifth Ivanti vulnerability was disclosed on Feb. 9, tracked as CVE-2024-22024. Eventually, Ivanti credited watchTowr with the find, though at first it claimed internal teams found the bug, sowing some confusion in bug-hunter ranks.

Further undermining confidence in Ivanti security practices is the fact that the initial Jan. 10 bugs were originally due to get patches on Jan. 22 — but Ivanti pushed the release date back to the 30th.

"These devices need their software engineered with the same kind of seriousness that this threat requires," says John Bambenek, president at Bambenek Consulting. "When you publish zero-day patch schedules, you need to hit those targets, especially in a situation like this."

Meanwhile Ivanti's persistent flaws have attracted crowds of cybercriminals, including Chinese state-sponsored threat actors. And cyber researcher "Shadowserver" Pitor Kijewski confirmed to Dark Reading that there are at least 47 IPs to date attempting to exploit the most recently disclosed Ivanti VPN bug.

There is some confusion here too: Ivanti issued the following statement to Dark Reading in response to the Shadowserver report: "We have no indication that CVE-2024-22024 has been exploited in the wild."

Viakoo's Gallagher gives Ivanti poor marks for its incident response so far.

"Ivanti’s recovery will need to address both the technical aspects of these attacks, and the trust/reputational damage this has caused them," he says. "On both fronts they have stumbled badly."

Ivanti Vows to Fix Flaws, Customers Cautious

In a Feb. 8 advisory about the most recent Connect Secure and Policy Secure Gateways bugs, Ivanti assured customers it is now doing a full audit of its code.

"Our team has been working around the clock to aggressively review all code and is singularly focused on bringing full resolution to the issues affecting Ivanti Connect Secure (formerly Pulse Connect Secure), Ivanti Policy Secure and ZTA gateways," the company said.

As Ivanti's cybersecurity troubles mount, the lesson for cyber teams is that reactive patching alone of edge devices isn't sufficient, according to Patrick Tiquet, vice president of security and architecture at Keeper Security.

"It is imperative that vendors prioritize identifying and resolving issues within their solutions," Tiquet says. "But organizations should regularly engage in pen-testing of their own products and services to proactively find vulnerabilities before someone else does."

Only time will tell if Ivanti will be able to woo its customers back who've already left, and reassure the ones who have stuck around, but in the meantime, Bambanek advises enterprise security teams remain cautious.

"If I were a CISO, I'd take a pass on Ivanti for a few years until they’ve proven themselves again," he adds.