The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive today requiring agencies to mitigate “widespread and active exploitation” of vulnerabilities in Ivanti Connect Secure VPN and Policy Secure network access control appliances.
Eric Goldstein, CISA’s executive assistant director for cybersecurity, told reporters today that the “potential exposure on the Federal civilian government is limited.” He noted that there are around 15 Federal agencies that were using Ivanti’s products.
“They have mitigated those vulnerabilities,” Goldstein said. “We are not assessing a significant risk to the Federal enterprise, but we know that that risk is not zero.”
On Jan. 10, Ivanti released information regarding two vulnerabilities that allow an attacker to move laterally across a target network, perform data exfiltration, and establish persistent system access.
“CISA has determined an Emergency Directive is necessary based on the widespread exploitation of these vulnerabilities by multiple threat actors, prevalence of the affected products in the Federal enterprise, high potential for compromise of agency information systems, and potential impact of a successful compromise,” the press release says.
CISA is directing all Federal civilian agencies to take specific actions by Jan. 22 and implement vendor mitigation guidance to these Ivanti appliances.
Among other things, CISA is requiring agencies to immediately report indications of compromise as well as provide a complete inventory of all instances of Ivanti Connect Secure and Ivanti Policy Secure products on agency networks, including details on actions taken and results.
“The vulnerabilities in these products pose significant, unacceptable risks to the security of the Federal civilian enterprise. As America’s cyber defense agency and the operational lead for Federal civilian cybersecurity, we must take urgent action to reduce risks to the Federal systems upon which Americans depend,” said CISA Director Jen Easterly. “Even as Federal agencies take urgent action in response to this Directive, we know that these risks extend to every organization and sector using these products. We strongly urge all organizations to adopt the actions outlined in this Directive.”
CISA’s Goldstein said today that industry is estimating over 1,700 organizations across the nation have been affected by Ivanti’s vulnerabilities and noted that the “situation here is evolving by the hour.”
“Implementation allows deep access into the target network enabling data exfiltration or persistence to achieve other objectives,” Goldstein said. “The directive requires that Federal agencies immediately take specific action to implement vendor mitigation guidance. I’ll particularly note that the directive requires agencies to implement temporary mitigation instructions that are in place in lieu of a patch which has not yet been issued.”
While the investigation is still ongoing, Goldstein said Chinese-affiliated actors – among others – have exploited the known vulnerability. “Edge devices like these Ivanti products are the favorite types of devices to be targeted because A: they are Internet facing; and B: they allow a significant level of privilege to access the target network,” he said.
