Question:

As an IT professional in the UK, I use Ivanti products to enable remote access for my company’s employees. However, I am concerned about the recent reports of critical vulnerabilities in Ivanti Connect Secure and Policy Secure gateways that have been exploited by threat actors. Besides applying the latest patches and mitigation measures from Ivanti, what else can I do to protect my network and data? Is Ivanti still a reliable and secure solution for remote access? What best practices should I follow to prevent or mitigate future attacks?

Answer:

How to Secure Your Remote Access with Ivanti Products

Remote access is a vital feature for many businesses, especially in the wake of the COVID-19 pandemic that has forced many employees to work from home or on the go. However, remote access also poses significant security risks, as it exposes the network and data to potential attacks from hackers, malware, or other threat actors.

One of the popular solutions for remote access is Ivanti, a software company that provides products such as Connect Secure and Policy Secure, which are gateways that enable secure access to applications and resources from any device and location. However, Ivanti products have recently been the target of several cyberattacks, exploiting critical vulnerabilities that could allow unauthorized access, data theft, or ransomware infection.

In this article, we will discuss the nature and impact of these vulnerabilities, the steps that Ivanti has taken to address them, and the additional measures that you, as an IT professional, can take to protect your network and data from future attacks.

The Ivanti vulnerabilities are a series of security flaws that affect the Connect Secure and Policy Secure gateways, which are also known as Pulse Secure and Pulse Policy Secure, respectively. These products are widely used by organizations across various sectors, such as government, healthcare, education, finance, and retail.

The vulnerabilities were first discovered and reported by FireEye, a cybersecurity firm, in April 2021. FireEye revealed that a sophisticated threat actor, dubbed UNC2630, had exploited the vulnerabilities to compromise dozens of organizations, mainly in the US and Europe. The threat actor used a variety of techniques, such as phishing, web shells, malware, and credential theft, to gain access to the Ivanti gateways and then move laterally within the network, stealing sensitive data or deploying ransomware.

The vulnerabilities that were exploited by UNC2630 are:

• CVE-2019-11510: An arbitrary file reading vulnerability that allows an unauthenticated attacker to read any file on the system, including passwords and private keys.
• CVE-2020-8260: A buffer overflow vulnerability that allows an authenticated attacker to execute arbitrary code on the system with root privileges.
• CVE-2020-8243: A command injection vulnerability that allows an authenticated attacker to execute arbitrary commands on the system with root privileges.
• CVE-2021-22893: A remote code execution vulnerability that allows an unauthenticated attacker to execute arbitrary code on the system with root privileges.

These vulnerabilities have been rated as critical or high severity by the Common Vulnerability Scoring System (CVSS), with scores ranging from 8.8 to 10.0 out of 10.0. They pose a serious threat to the security and integrity of the Ivanti gateways and the networks that rely on them.

What has Ivanti done to fix the vulnerabilities?

Ivanti has been working closely with FireEye and other security researchers to investigate and remediate the vulnerabilities. Ivanti has released several patches and mitigation measures to address the vulnerabilities and prevent further exploitation. Ivanti has also published security advisories and guidance for its customers on how to apply the patches and mitigation measures, as well as how to detect and respond to any potential compromise.

The patches and mitigation measures that Ivanti has released are:

• For CVE-2019-11510, Ivanti released a patch in April 2019 and advised customers to upgrade to the latest version of Connect Secure or Policy Secure.
• For CVE-2020-8260 and CVE-2020-8243, Ivanti released a patch in October 2020 and advised customers to upgrade to the latest version of Connect Secure or Policy Secure.
• For CVE-2021-22893, Ivanti released a patch in April 2021 and advised customers to upgrade to the latest version of Connect Secure or Policy Secure. Ivanti also released a workaround script that disables the Windows File Share Browser and Pulse Secure Collaboration features, which are the entry points for the vulnerability.
• For all the vulnerabilities, Ivanti released a tool in May 2021 that scans the system for any indicators of compromise (IoCs) and generates a report with the findings and recommendations.

Ivanti has urged its customers to apply the patches and mitigation measures as soon as possible, as well as to run the tool and review the report. Ivanti has also provided a dedicated email address and phone number for customers to contact in case of any questions or issues.

What else can you do to protect your network and data?

Besides applying the patches and mitigation measures from Ivanti, there are some additional steps that you can take to enhance the security of your remote access and reduce the risk of future attacks. These steps are:

• Monitor and audit your Ivanti gateways regularly for any suspicious or anomalous activity, such as unauthorized login attempts, unusual network traffic, or unexpected changes in configuration or files.
• Implement strong authentication and authorization policies for your Ivanti gateways, such as using multifactor authentication (MFA), enforcing password complexity and expiration, and restricting access based on role, device, and location.
• Encrypt and backup your data regularly, both on the Ivanti gateways and on the devices that access them, to prevent data loss or leakage in case of a breach or ransomware attack.
• Educate and train your employees on the best practices for remote access, such as using secure and trusted devices and networks, avoiding phishing and other social engineering attacks, and reporting any suspicious or unusual incidents.

Is Ivanti still a reliable and secure solution for remote access?

Despite the recent vulnerabilities and attacks, Ivanti remains a reputable and trusted provider of remote access solutions, with a large and loyal customer base. Ivanti has demonstrated its commitment and responsiveness to addressing the security issues and supporting its customers. Ivanti has also announced that it is working on a new and improved version of Connect Secure and Policy Secure, which will be released later this year, with enhanced security features and performance.

However, no solution is perfect or immune to vulnerabilities or attacks, and Ivanti is no exception. Therefore, it is important to always keep your Ivanti products updated and follow the security recommendations from Ivanti and other experts. It is also advisable to complement your Ivanti products with other security tools and measures, such as firewalls, antivirus, VPNs, and SIEMs, to create a layered and comprehensive defense for your remote access.

Conclusion

Remote access is a convenient and essential feature for many businesses, but it also comes with significant security challenges and risks. Ivanti products are among the popular and effective solutions for remote access, but they have also been the target of several cyberattacks, exploiting critical vulnerabilities that could compromise the network and data.

To protect your remote access with Ivanti products, you should apply the latest patches and mitigation measures from Ivanti, as well as monitor, audit, and secure your Ivanti gateways and devices. You should also educate and train your employees on the best practices for remote access and use other security tools and measures to enhance your defense.

By

following these steps, you can enjoy the benefits of remote access with Ivanti products, while minimizing the threats and impacts of cyberattacks.