- Feb 16

The Ivanti Blunder - Consider the Risks

It's old news already: since early January, multiple vulnerabilities in Ivanti's SSL-VPN products are being exploited by various threat actors, allowing them to drop webshells that enable further compromise of enterprise networks (details here).

Ivanti products do not seem to be used much in the Adriatics region, but thousands of organizations worldwide have already been compromised, as the vulnerabilities suddenly made Ivanti's appliances an open door into the customer networks.

What's interesting is the thorough work required by customers not only to protect their network, but also assess if they've been compromised in this particular case.

As an illustration, take a look the U.S. Cybersecurity and Infrastructure Security Agency (CISA) emergency directives following the Ivanti vulnerabilities disclosures (see here).

CISA is instructing the U.S. federal organizations running Ivanti's products to disconnect them from the network and follow an extensive list of actions, including resetting devices to factory configuration, perform extensive monitoring and threat hunting, audit privileged accounts, and so on.

Not an easy job and definitely costly in terms of engineer hours and lost productivity due to disabled remote access to applications.

As Ivanti is not the only VPN vendor targeted by zero-days, the question is how are customers nowadays factoring these risks when exposing internal networks to standard VPN remote access? What once seemed trivial (running a simple SSL VPN), can now become faster than ever an open door into your network.

Palo Alto Networks detection of zero-day exploit against Ivanti's SSL-VPN solution

So it's not surprising many SASE/ZTNA vendors such as Palo Alto Networks are offering a modernized remote access infrastructure based on ZTNA principles, this time vendor-managed: in such cases the vendor reaction following vulnerability disclosure has to be close to immediate, with all the threat hunting and other monitoring/auditing tasks performed by the vendor. That's a key change in the remote access management model, but required in today's threat landscape where public facing devices are routinely being exploited (more here).