CISA mandates agencies close 2 cyber vulnerabilities immediately

Agencies have until the end of Monday to close two major cybersecurity vulnerabilities.

The Cybersecurity and Infrastructure Security Agency issued an emergency directive after software firm Ivanti discovered vulnerabilities in two widely-used products.

“This emergency directive directs all federal civilian agencies to immediately take specific actions and implement vendor mitigation guidance to these Ivanti appliances,” CISA wrote in a release. “Last week, Ivanti released information regarding two vulnerabilities, CVE-2023-46805 and CVE-2024-21887, that allow an attacker to move laterally across a target network, perform data exfiltration and establish persistent system access. CISA has determined an emergency directive is necessary based on the widespread exploitation of these vulnerabilities by multiple threat actors, prevalence of the affected products in the federal enterprise, high potential for compromise of agency information systems and potential impact of a successful compromise.”

Ivanti found on Jan. 10 that a vulnerability in the web component of Ivanti Connect Secure and Ivanti Policy Secure would let attackers bypass the authentication requirement and access restricted resources by bypassing control checks. The other vulnerability is a command injection vulnerability in web components of Ivanti Connect Secure and Ivanti Policy Secure. CISA says this vulnerability, which can be exploited over the internet, allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the affected products.

“The vulnerabilities in these products pose significant, unacceptable risks to the security of the federal civilian enterprise. As America’s cyber defense agency and the operational lead for federal civilian cybersecurity, we must take urgent action to reduce risks to the federal systems upon which Americans depend,” CISA Director Jen Easterly said in a release. “Even as federal agencies take urgent action in response to this directive, we know that these risks extend to every organization and sector using these products. We strongly urge all organizations to adopt the actions outlined in this directive.”

When it found the vulnerability on Jan. 10, Ivanti said in a blog post that it will continue to invest  “significant” resources to meet high security standards.

“In the best interests of our customers, we are always investigating, assessing, monitoring, and validating the security posture of our solutions. We collaborate with the broader security ecosystem to share intelligence and appreciate when we are made aware of issues via responsible disclosure from reputable sources,” the company said.

CISA is requiring agencies to implement Ivanti’s published mitigation immediately and then run Ivanti’s External Integrity Checker Tool and take additional steps if indications of compromise are detected.

Additionally, one week after the issuance of this directive, agencies must report to CISA using its template a complete inventory of all instances of Ivanti Connect Secure and Ivanti Policy Secure products on agency networks, including details on actions taken and results.

Then by June 1, CISA will report to the White House, Office of Management and Budget and Homeland Security Department the cross-agency status and any outstanding issues with closing these vulnerabilities.

Eric Goldstein, the executive assistant director for cyber at CISA, said Friday in a briefing with reporters that, at first glance, agencies seem to be in pretty good shape.

“We are assessing that the potential exposure on the federal civilian government is limited. There were around, I will say 15 agencies or so that were using these products in the first instance, and they have mitigated those vulnerabilities,” he said. “We are not assessing a significant risk to the federal enterprise. But we know that risk is not zero, and given the the widespread exploitation activity around the country and the globe,  that’s precisely why we issued today a directive to ensure that every agency is both taking the mitigation staff and also running the integrity checker tool to confirm that they have in fact not been impacted.”

He declined to specify which agencies were impacted as the results of scans and analysis were still coming in.

CISA began working with agencies as soon as Ivanti made the problems public. He said CISA has held calls with agency security operations centers and other leaders, and the agency has used their own tools to determine how big of a problem this is for the government.

The impact on the private sector is much larger with more than 1,700 organizations reportedly being affected.

Goldstein said the broad threat and potential impact is a main reason why CISA issued the rare  emergency directive. He said it’s a signal to private sector to mitigate these Ivanti vulnerabilities.

Another reason for the emergency directive is the similarities of this attack with others by China. While Goldstein said he is not ready to place blame on anyone one country or organization yet, he said other attacks perpetuated by China over the last few years against VPN software had similar characteristics.

But at the same time, Goldstein said agencies are better prepared for this type of attack because agencies have focused on securing edge devices after the PulseSecure vulnerability.

“For example, it contributed to our decision to issue Binding Operational Directive 23-02 last year, requiring agencies to remove or remediate exposed network management interfaces for edge devices,” he said. “We have put a tremendous amount of effort in securing the types of devices and products more generally. But we remain engaged in the work of ensuring that every instance of these products across the federal enterprise has been mitigated and that we are validating that the compromise has not occurred.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.