Ivanti zero-day exploits explode as bevy of attackers get in on the act There's a "reasonable chance" that Ivanti Connect Secure (ICS) VPN users are already compromised if they didn't apply the vulnerability mitigation released last week, experts say. The latest data from Volexity shows that successful exploits of two Ivanti zero-days have accelerated sharply to more than 1,700 devices. Citing …
If we can't trust security appliances and services to be secure, what hope is there? It seems the same standards apply to their development as to that of the most mundane applications. It's about time we implemented global mandatory standards (including formal independent testing) for all sensitive applications including security appliances. The EU seems to be starting to lead the way, but there's probably a long haul ahead before any material change takes place for the better.
We deployed the predecessor, the Juniper remote access version. Then we upgraded to the Pulse Secure version when Juniper spun them off. And now it's the Ivanti version.
We have as close to a zero percent chance of an RCE or any other compromise as there is regardless of patch status or version. How did we do that?
It's dirt-simple to require a client certificate on the connecting computer in order to even connect to the port of the remote access box. We spun up a Certificate Authority for all remote connections (remote access, API, whatever) and we require a client certificate to even connect to the port. No cert means you don't even get a banner, just a dropped connection because you can't get past the port to anything else.
As a bonus the remote access log files drop to almost nothing because even scanners and attackers won't get logged, just connections with the proper client certificate. We can still see the unauthorized connection attempts in the firewall logs but not in the Ivanti logs.
In the words of a major pen testing company (that almost anyone in the business would recognize) when they could not do a thing to us:
"NOBODY DOES THAT!"
And that's the problem. We have a few thousand client certs authorized and the rest of the 3 billion people on Planet Earth with Internet access think nothing's there even if they dial up the URL.
This is being handled very poorly by Ivanti. No sign of any patched OS versions, despite a number being meant to have been released this week. They are advising people to upgrade from older point versions to the latest release train, but aren't planning on releasing the patched version of the latest release train until the second wave of patches is released. Arse meet elbow.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
