Supplemental Direction V1: ED 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities
Original Issuance Date: January 31, 2024
Updated February 5, 2024
This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Supplemental Direction V1: Emergency Directive 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities.
Section 3553(h) of title 44, U.S. Code, authorizes the Secretary of Homeland Security, in response to a known or reasonably suspected information security threat, vulnerability, or incident that represents a substantial threat to the information security of an agency, to “issue an emergency directive to the head of an agency to take any lawful action with respect to the operation of the information system, including such systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information, for the purpose of protecting the information system from, or mitigating, an information security threat.” 44 U.S.C. § 3553(h)(1)–(2). Section 2205(3) of the Homeland Security Act of 2002, as amended, delegates this authority to the Director of the Cybersecurity and Infrastructure Security Agency. 6 U.S.C. § 655(3). Federal agencies are required to comply with these directives. 44 U.S.C. § 3554 (a)(1)(B)(v). These directives do not apply to statutorily defined “national security systems” nor to systems operated by the Department of Defense or the Intelligence Community. 44 U.S.C. § 3553(d), (e)(2), (e)(3), (h)(1)(B).
See Emergency Directive 24-01 for the Original Directive issued on January 19, 2024.
Background
This Supplemental Direction supersedes required action 4 in Emergency Directive (ED) 24-01 Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities and applies to any Federal agency running affected products (Ivanti Connect Secure or Ivanti Policy Secure solutions).
Threat actors continue to leverage vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure solutions to capture credentials and drop webshells that enable further compromise of enterprise networks. Some threat actors have recently developed workarounds to earlier mitigations and detection methods and have been able to exploit weaknesses, move laterally, and escalate privileges without detection. CISA is aware of instances in which threat actors have minimized traces of their intrusion, limiting the effectiveness of the external integrity checker tool (ICT).
Required Actions
Agencies running affected products—Ivanti Connect Secure or Ivanti Policy Secure solutions—are required to immediately perform the following tasks:
- As soon as possible and no later than 11:59PM on Friday February 2, 2024, disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks.
- Continue threat hunting on any systems connected to—or recently connected to—the affected Ivanti device.
- Monitor the authentication or identity management services that could be exposed.
- Isolate the systems from any enterprise resources to the greatest degree possible.
- Continue to audit privilege level access accounts.
- To bring a product back into service, agencies are required to perform the following actions:
- Export configuration settings.
- Complete a factory reset per Ivanti’s instructions.
- Rebuild the device per Ivanti’s instructions AND upgrade to a supported software version through Ivanti’s download portal (there is no cost to upgrade).
- Reimport the configuration.
- If mitigation XML files were applied, review the Ivanti KB and customer portal for directions on how to remove the mitigations after upgrading.
- Revoke and reissue any connected or exposed certificates, keys, and passwords, to include the following:
- Reset the admin enable password.
- Reset stored application programming interface (API) keys.
- Reset the password of any local user defined on the gateway, including service accounts used for auth server configuration(s).
By 11:59PM EST Monday February 5, 2024, agencies must report to CISA (using an updated CyberScope template from CISA) agency status across the above actions. Agencies are required to provide updates to CISA on these actions, upon request and until complete.
- Agencies running the affected products must assume domain accounts associated with the affected products have been compromised. By March 1, 2024, agencies must:
- Reset passwords twice for on premise accounts, revoke Kerberos tickets, and then revoke tokens for cloud accounts in hybrid deployments.
- For cloud joined/registered devices, disable devices in the cloud to revoke the device tokens.
By 11:59PM EST Friday March 1, 2024, agencies must report to CISA (using an updated CyberScope template from CISA) agency status across all actions in this Supplemental Direction.
CISA Actions
- CISA will provide agencies with a template that will be used for reporting agency actions following the issuance of this Supplemental Direction.
- CISA will continue efforts to identify instances and potential compromises associated with this threat activity, provide partner notifications, and will issue additional guidance and direction, as appropriate.
- CISA will provide technical assistance to agencies who are without internal capabilities sufficient to comply with this Supplemental Direction.
- By June 1, 2024, CISA will provide a report to the Secretary of Homeland Security, the National Cyber Director, the Director of the Office of Management and Budget, and the Federal Chief Information Security Officer identifying cross-agency status and outstanding issues.
Duration
This Supplemental Direction remains in effect until CISA determines that all agencies operating affected software have performed all required actions from this Direction or the Direction is terminated through other appropriate action.
Additional Information
Visit https://www.cisa.gov/news-events/directives or contact the following for:
- General information, assistance, and reporting – CyberDirectives@cisa.dhs.gov
- Reporting indications of compromise – central@cisa.dhs.gov