Ivanti Connect Secure and Policy Secure vulnerabilities

Request an audit

Ivanti Connect Secure and Policy Secure vulnerabilities

Ivanti has release patches for multiple vulnerabilities impacting Connect Secure and Policy Secure gateways. The vulnerabilities are tracked as CVE-2024-21894, CVE-2024-22052, CVE-2024-22053 and CVE-2024-22023. Ivanti is not aware of these vulnerabilities being exploited at customers at the time of disclosure.

Summary

CVE-2024-21894, 8.4 High (CVSS 3.1): “A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack. In certain conditions this may lead to execution of arbitrary code “ As stated by Ivanti.

CVE-2024-22052, 7.5 High (CVSS 3.1): “A null pointer dereference vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack” stated by Ivanti.

CVE-2024-22053, 8.2 High (CVSS 3.1): “A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack or in certain conditions read contents from memory.” stated by Ivanti.

CVE-2024-22023, 5.3 Medium (CVSS 3.1): “An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated attacker to send specially crafted XML requests in-order-to temporarily cause resource exhaustion thereby resulting in a limited-time DoS.” Stated by Ivanti.

Affected products

All supported versions are at risk and older:

9.X
22.X

Security Recommendation

Ivanti has release security updates for these vulnerabilities and can be found on the download page for the products.
More information regarding the vulnerabilities can be found here.

Services

IT security assessment

Security & network assessment

Ethical hacking

OT/IoT security assessment

Red & Blue Teaming

M365 assessment

Governance

Decision tree

GDPR assessment

ISO 27k assessment

Social engineering

Cybersecurity maturity assessment

Networking

Security & network assessment

OT/IoT network assessment

Identify

Managed services

Network Operations Centre (NOC)

Security Operations Centre (SOC)

Network as a Service (NaaS)

Security Governance

UBA

Governance

Chief Information Security Officer (CISO)

Information Security Officer (ISO)

Social engineering

Security awareness training

Information Protection & Governance

Security & networking optimization

High-level design

Wireless/wired networking

Network Virtualisation & Automation (SDN)

SD-WAN

Endpoint security

Prevent & protect

Managed services

Security Operations Center (SOC)

CSIRT

Network Operations Centre (NOC)

Network as a Service (NaaS)

Endpoint Detection & Response

Governance

Chief Information Security Officer (CISO)

Data Protection Officer (DPO)

Detect & respond

Managed services

Network Operations Centre (NOC)

Security Operations Centre (SOC)

Network as a Service (NaaS)

CISO as a Service

DPO as a Service

Governance

Chief Information Security Officer (CISO)

Data Protection Officer (DPO)

Recover

Ivanti Connect Secure and Policy Secure vulnerabilities

Ivanti Connect Secure and Policy Secure vulnerabilities

Ivanti Connect Secure and Policy Secure vulnerabilities

Ready to discuss your security needs?