back to article Number of orgs compromised via Ivanti VPN zero-days grows as Mandiant weighs in

Two zero-day bugs in Ivanti products were likely under attack by cyberspies as early as December, according to Mandiant's threat intel team. The software biz disclosed the vulnerabilities in Ivanti Connect Secure (ICS) – the VPN server appliance previously known as Pulse Connect Secure – and its Policy Secure gateways on …

  1. cyberdemon Silver badge
    Devil

    Ivanti my money back

    Plus damages

  2. Anonymous Coward
    Anonymous Coward

    Caveat emptor

    Here you have yet another bloated monstrosity, more of a proxy with lots of bureaucracy enforcement features than a traditional VPN tunnel. Of course it's based on SSL so it can "just run in any browser" and guarantees it has the maximal attack surface in accordance to the "sum of all flaws and failures" doctrine.

    Or maybe get something based on noise\wireguard, separate your policy tools from your network transit, and deal with the easy problem of pushing an app profile in the modern era.

    Or at least consider investing in security tools from a company that isn't the latest home to Goldmine. "We cater to customers who will pay through the nose to resist modernization in any form" isn't a bad marketing plan, but it's also a terrible vision statement for a security product.

    Call me crazy if you wish, but I want my VPN to be thin, light, and tough to crack. Let a box on the far end handle orchestration and routing separately to get to the zero trust goals. Nothing wrong with tackling a problem with a solution stack where each tool only does what it's good at. In this case the host box, located inside the clients security perimeter, is serving an SSL based website to the world to allow it's clients to connect. The claim it doesn't need to be deployed in a DMZ, advice that will cause extra pain for organizations that listened to the marketing puffery.

    https://help.ivanti.com//ps/help/en_US/ICS/22.x/22.6R2/22.xICSAG.pdf

  3. Claptrap314 Silver badge

    Huh

    The behavior describe actually meets my definition of "sophisticated". Weird.

  4. Anonymous Coward
    Anonymous Coward

    Ivanti shitshow

    This is being handled very poorly by Ivanti. No sign of any patched OS versions, despite a number being meant to have been released this week. They are advising people to upgrade from older point versions to the latest release train, but aren't planning on releasing the patched version of the latest release train until the second wave of patches is released. Arse meet elbow.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like