CVE-2024-21893: 
Ivanti Connect Secure vulnerability analysis and mitigation

A server-side request forgery (SSRF) vulnerability, identified as CVE-2024-21893, was discovered in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x), and Ivanti Neurons for ZTA. The vulnerability allows an unauthenticated attacker to access restricted resources without authentication. The vulnerability was disclosed on January 31, 2024, and has been assigned a CVSS v3.1 base score of 8.2 (HIGH) (NVD).

The vulnerability (CVE-2024-21893) is classified as a server-side request forgery (SSRF) flaw specifically affecting the SAML component of the affected Ivanti products. It has been assigned a CVSS v3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

The vulnerability enables unauthorized access to restricted resources, potentially compromising sensitive data and system security. Ivanti has confirmed that a limited number of customers have been affected by this vulnerability in targeted instances (Arctic Wolf).

Ivanti has released patches for multiple versions including Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, and 22.5R1.1) and ZTA version 22.6R1.3. As a temporary workaround, users can import the mitigation.release.20240126.5.xml file via the download portal. Additionally, running the external integrity checker (ICT) is recommended to identify potential malicious files (Arctic Wolf).

In response to the vulnerability, the Cybersecurity & Infrastructure Security Agency (CISA) issued an emergency directive ordering all federal government agencies to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure from their networks until proper mitigation steps are taken and reported to CISA (Horizon3).