ED 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities

This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Emergency Directive 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities. 

Section 3553(h) of title 44, U.S. Code, authorizes the Secretary of Homeland Security, in response to a known or reasonably suspected information security threat, vulnerability, or incident that represents a substantial threat to the information security of an agency, to “issue an emergency directive to the head of an agency to take any lawful action with respect to the operation of the information system, including such systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information, for the purpose of protecting the information system from, or mitigating, an information security threat.” 44 U.S.C. § 3553(h)(1)–(2). Section 2205(3) of the Homeland Security Act of 2002, as amended, delegates this authority to the Director of the Cybersecurity and Infrastructure Security Agency. 6 U.S.C. § 655(3). Federal agencies are required to comply with these directives. 44 U.S.C. § 3554 (a)(1)(B)(v). These directives do not apply to statutorily defined “national security systems” nor to systems operated by the Department of Defense or the Intelligence Community. 44 U.S.C. § 3553(d), (e)(2), (e)(3), (h)(1)(B). 

Supplemental Direction V2: ED 24-01

Supplemental Direction V2

Supplemental Direction V2: Emergency Directive 24-01

Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities

Original Issuance Date: February 9, 2024

Updated March 4, 2024

Background 

 This Supplemental Direction supersedes Supplemental Direction V1: Emergency Directive (ED) 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities issued on January 31, 2024. This version also supersedes Required Action 4 of ED 24-01. All other provisions of ED 24-01 remain in effect. This Supplemental Direction applies to any federal agency running affected products (Ivanti Connect Secure or Ivanti Policy Secure solutions).

On February 8, 2024, Ivanti reported a new vulnerability (CVE-2024-22024) affecting a limited number of supported Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1, and 22.5R2.2) and Ivanti Policy Secure (version 22.5R1.1) solutions. This newly disclosed vulnerability enables an attacker to access restricted resources without authentication. On February 8, 2024, Ivanti released new security updates that replace the previous updates released on January 31, 2024, and February 1, 2024, and, additionally, address CVE-2024-22024. This Supplemental Direction V2 adds a requirement for agencies running those software versions to apply appropriate security updates.

As noted in Supplemental Direction V1, threat actors continue to leverage vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure solutions to capture credentials and drop webshells that enable further compromise of enterprise networks. Some threat actors have recently developed workarounds to earlier mitigations and detection methods and have been able to exploit weaknesses, move laterally, and escalate privileges without detection. CISA is aware of instances in which threat actors have minimized traces of their intrusion, limiting the effectiveness of the external integrity checker tool (ICT).

Based on observations during incident response activities and available industry reporting, as supplemented by CISA’s research findings, network defenders should assume a sophisticated threat actor may deploy rootkit-level persistence that can survive a factory reset and lay dormant for an arbitrary amount of time. Continuing to operate Ivanti Connect Secure and Ivanti Policy Secure devices in an enterprise environment carries significant risk of adversary access to and persistence on these devices.

Required Actions 

Agencies running affected products (Ivanti Connect Secure or Ivanti Policy Secure solutions), or returning those products to service, are required to immediately perform the following tasks (Note: for agencies that have not returned any affected products to service and do not intend to do so, no further action is required):

1. For agencies that returned affected products to service following ED 24-01 Supplemental Direction V1, apply the February 8 update from Ivanti to address CVE-2024-22024 by 11:59PM Monday February 12, 2024.
2. Per Supplemental Direction V1, agencies were required to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products by 11:59PM on Friday February 2, 2024, and follow a set of instructions before bringing any product back into service. If an agency did not previously complete the initial requirement to disconnect all instances of the affected products, do so immediately. For all affected products: 
   1. Continue threat hunting on any systems connected to—or recently connected to—the affected Ivanti device.

   2. Monitor the authentication or identity management services that could be exposed. 

   3. Isolate the systems from any enterprise resources to the greatest degree possible. 

   4. Continue to audit privilege level access accounts. 

3. To bring any additional products back into service, agencies are still required to perform the following actions: 

   1. Export configuration settings.  

   2. Complete a factory reset per Ivanti’s instructions. 

      1. Note: If an agency completed a factory reset of the Ivanti device before applying the previously released patches on January 31 and February 1, a factory reset is not required. 

   3. Rebuild the device per Ivanti’s instructions AND upgrade to a supported software version through Ivanti’s download portal (there is no cost to upgrade). 

   4. Reimport the configuration.

      1. If mitigation XML files were applied, review the Ivanti KB and customer portal for directions on how to remove the mitigations after upgrading. 

   5. Revoke and reissue any connected or exposed certificates, keys, and passwords, to include the following: 
      1. Reset the admin enable password. 
      2. Reset stored application programming interface (API) keys. 
      3. Reset the password of any local user defined on the gateway, including service accounts used for auth server configuration(s). 
4. For all products returned to service, apply future updates that address the vulnerabilities referenced in this Directive and Supplemental Direction as they become available and no later than 48 hours following their release by Ivanti.  

5. Agencies running the affected products must assume domain accounts associated with the affected products have been compromised. By Friday March 1, 2024, agencies must:

   1. Reset passwords twice for on premise accounts, revoke Kerberos tickets, and then revoke tokens for cloud accounts in hybrid deployments. 

   2. For cloud joined/registered devices, disable devices in the cloud to revoke the device tokens. 

Agencies should carefully follow Ivanti’s instructions on securing affected products, including Ivanti's recent guidance: 

• KB CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways 
• Recovery Steps Related to CVE-2023-46805 and CVE-2024-21887 (ivanti.com)

Reporting

By 11:59PM EST Wednesday February 14, 2024, and upon request going forward, report to CISA the status across all affected products. CISA will provide an updated reporting template.   

Report to CISA the status of actions under Requirement 5 by Friday March 1, 2024. 

CISA Actions

1. CISA will provide agencies with a template that will be used for reporting agency actions following the issuance of this Supplemental Direction.
2. CISA will continue efforts to identify instances and potential compromises associated with this threat activity, provide partner notifications, and will issue additional guidance and direction, as appropriate. 
3. CISA will provide technical assistance to agencies who are without internal capabilities sufficient to comply with this Supplemental Direction.  
4. By June 1, 2024, CISA will provide a report to the Secretary of Homeland Security, the National Cyber Director, the Director of the Office of Management and Budget, and the Federal Chief Information Security Officer identifying cross-agency status and outstanding issues. 

Duration

This Supplemental Direction remains in effect until CISA determines that all agencies operating affected software have performed all required actions from this Direction or the Direction is terminated through other appropriate action. 

Additional Information

Visit https://www.cisa.gov/news-events/directives or contact the following for: 

• General information, assistance, and reporting – CyberDirectives@cisa.dhs.gov 
• Reporting indications of compromise – central@cisa.dhs.gov

Supplemental Direction V1: ED 24-01

Supplemental Direction V1

Supplemental Direction V1: Emergency Directive 24-01

Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities

Original Issuance Date: January 31, 2024

Updated February 5, 2024

Background

This Supplemental Direction supersedes required action 4 in Emergency Directive (ED) 24-01 Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities and applies to any Federal agency running affected products (Ivanti Connect Secure or Ivanti Policy Secure solutions).

Threat actors continue to leverage vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure solutions to capture credentials and drop webshells that enable further compromise of enterprise networks. Some threat actors have recently developed workarounds to earlier mitigations and detection methods and have been able to exploit weaknesses, move laterally, and escalate privileges without detection. CISA is aware of instances in which threat actors have minimized traces of their intrusion, limiting the effectiveness of the external integrity checker tool (ICT). 

Required Actions

Agencies running affected products—Ivanti Connect Secure or Ivanti Policy Secure solutions—are required to immediately perform the following tasks:

1. As soon as possible and no later than 11:59PM on Friday February 2, 2024, disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks.
   1. Continue threat hunting on any systems connected to—or recently connected to—the affected Ivanti device.
   2. Monitor the authentication or identity management services that could be exposed.
   3. Isolate the systems from any enterprise resources to the greatest degree possible.
   4. Continue to audit privilege level access accounts.
2. To bring a product back into service, agencies are required to perform the following actions:
   1. Export configuration settings.
   2. Complete a factory reset per Ivanti’s instructions.
   3. Rebuild the device per Ivanti’s instructions AND upgrade to a supported software version through Ivanti’s download portal (there is no cost to upgrade).
   4. Reimport the configuration.
      1. If mitigation XML files were applied, review the Ivanti KB and customer portal for directions on how to remove the mitigations after upgrading.
   5. Revoke and reissue any connected or exposed certificates, keys, and passwords, to include the following:
      1. Reset the admin enable password.
      2. Reset stored application programming interface (API) keys.
      3. Reset the password of any local user defined on the gateway, including service accounts used for auth server configuration(s). 

      By 11:59PM EST Monday February 5, 2024, agencies must report to CISA (using an updated CyberScope template from CISA) agency status across the above actions. Agencies are required to provide updates to CISA on these actions, upon request and until complete.

3. Agencies running the affected products must assume domain accounts associated with the affected products have been compromised. By March 1, 2024, agencies must:
   1. Reset passwords twice for on premise accounts, revoke Kerberos tickets, and then revoke tokens for cloud accounts in hybrid deployments.
   2. For cloud joined/registered devices, disable devices in the cloud to revoke the device tokens.

   By 11:59PM EST Friday March 1, 2024, agencies must report to CISA (using an updated CyberScope template from CISA) agency status across all actions in this Supplemental Direction.

CISA Actions

1. CISA will provide agencies with a template that will be used for reporting agency actions following the issuance of this Supplemental Direction.
2. CISA will continue efforts to identify instances and potential compromises associated with this threat activity, provide partner notifications, and will issue additional guidance and direction, as appropriate.
3. CISA will provide technical assistance to agencies who are without internal capabilities sufficient to comply with this Supplemental Direction.
4. By June 1, 2024, CISA will provide a report to the Secretary of Homeland Security, the National Cyber Director, the Director of the Office of Management and Budget, and the Federal Chief Information Security Officer identifying cross-agency status and outstanding issues.

Duration

This Supplemental Direction remains in effect until CISA determines that all agencies operating affected software have performed all required actions from this Direction or the Direction is terminated through other appropriate action.

Additional Information

Visit https://www.cisa.gov/news-events/directives or contact the following for:

• General information, assistance, and reporting – CyberDirectives@cisa.dhs.gov
• Reporting indications of compromise – central@cisa.dhs.gov

Background

CISA has observed widespread and active exploitation of vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure solutions, hereafter referred to as “affected products.” Successful exploitation of the vulnerabilities in these affected products allows a malicious threat actor to move laterally, perform data exfiltration, and establish persistent system access, resulting in full compromise of target information systems.  

CISA has determined these conditions pose an unacceptable risk to Federal Civilian Executive Branch (FCEB) agencies and require emergency action. This determination is based on widespread exploitation of vulnerabilities by multiple threat actors, the prevalence of the affected products in the federal enterprise, the high potential for a compromise of agency information systems, the impact of a successful compromise, and the complexity of the proposed mitigations.

On January 10, 2024, Ivanti released the following information on the vulnerabilities in the affected products:

• CVE-2023-46805 is a vulnerability found in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. This authentication bypass vulnerability allows a remote attacker to access restricted resources by bypassing control checks.
• CVE-2024-21887 is a command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. This vulnerability, which can be exploited over the internet, allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the affected products.

When exploited in tandem, these vulnerabilities allow a malicious threat actor to execute arbitrary commands on a vulnerable product. Ivanti has released a temporary mitigation through an XML file that can be imported into affected products to make necessary configuration changes until the permanent update is available.

This Directive requires agencies to implement Ivanti’s published mitigation immediately to the affected products in order to prevent future exploitation. As this initial action does not remedy an active or past compromise, agencies are also required to run Ivanti’s External Integrity Checker Tool and take additional steps if indications of compromise are detected.

The required actions in this Emergency Directive align with requirements in CISA’s Binding Operational Directive 22-01 and do not conflict with any previous requirements.

Required Actions

Agencies running affected products (Ivanti Connect Secure or Ivanti Policy Secure solutions) are required to perform the following tasks:

1. As soon as possible and no later than 11:59 pm EST on Monday January 22, 2024, download and import “mitigation.release.20240107.1.xml,” via Ivanti’s download portal, into the affected product. Note that the XML file, once imported, impacts or degrades a number of product management features. Agencies must carefully follow Ivanti’s instructions to ensure a correct import and avoid service outages.
2. Immediately after importing the XML file, download and run Ivanti’s External Integrity Checker Tool. Note: Although newer versions of the affected software include an integrated internal integrity checker, agencies are required to download and run the external tool, regardless of the current version installed. Running the External Integrity Checker Tool will reboot the affected product.
3. If indications of compromise are detected:
   1. Immediately report indications of compromise to CISA through central@cisa.dhs.gov.
   2. Remove compromised products from agency networks. Initiate incident analysis, preserve data from the compromised devices through the creation of forensic hard drive images, and hunt for indications of further compromise.
   3. To bring a compromised product back into service, reset the device with the affected Ivanti solution software to factory default settings and download and import “mitigation.release.20240107.1.xml,” via Ivanti’s download portal, into the affected product. Note that importing the XML file may impact or degrade a number of product management features. Agencies must carefully follow Ivanti’s instructions to ensure a correct import and avoid service outages.

To fully restore a compromised product and bring it back into service, agencies are also required to follow Ivanti’s instructions and perform the following additional actions on all compromised products:

• Revoke and reissue any stored certificates.
• Reset the admin enable password.
• Reset stored API keys.
• Reset the password of any local user defined on the gateway, including service accounts used for auth server configuration(s).

4. Apply updates that address the two vulnerabilities referenced in this Directive to the affected products as they become available and no later than 48 hours following their release by Ivanti.
5. One week after the issuance of this Directive, report to CISA (using the provided template) a complete inventory of all instances of Ivanti Connect Secure and Ivanti Policy Secure products on agency networks, including details on actions taken and results.

These required actions apply to agency assets in any federal information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.

For federal information systems hosted in third-party environments, each agency is responsible for maintaining an inventory of its information systems hosted in those environments (FedRAMP Authorized or otherwise) and obtaining status updates pertaining to, and to ensure compliance with, this Directive. Agencies should work through the FedRAMP program office to obtain these updates for FedRAMP Authorized cloud service providers and work directly with service providers that are not FedRAMP Authorized.

All other provisions specified in this Directive remain applicable.

CISA Actions

1. CISA will provide agencies with a template that will be used for reporting agency actions following the issuance of this Directive.
2. CISA will continue efforts to identify instances and potential compromises associated with this threat activity, provide partner notifications, and will issue additional guidance and direction, as appropriate.
3. CISA will provide technical assistance to agencies who are without internal capabilities sufficient to comply with this Directive.
4. By June 1, 2024, CISA will provide a report to the Secretary of Homeland Security, the National Cyber Director, the Director of the Office of Management and Budget, and the Federal Chief Information Security Officer identifying cross-agency status and outstanding issues.

Duration

This Emergency Directive remains in effect until CISA determines that all agencies operating affected software have performed all required actions from this Directive or the Directive is terminated through other appropriate action.

Additional Information

Visit https://www.cisa.gov/news-events/directives or contact the following for:

• General information, assistance, and reporting – CyberDirectives@cisa.dhs.gov
• Reporting indications of compromise – central@cisa.dhs.gov