Federal agencies have until the end of the day to shut down two widely used software products due to major cybersecurity vulnerabilities.
The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive mandating Federal agencies disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure VPN products on their networks no later than 11:59 p.m. today.
This directive supersedes a Jan. 19 emergency directive from CISA, which told agencies to remediate the vulnerabilities in those Ivanti products.
In the original emergency directive on Jan. 19, CISA explained it “observed widespread and active exploitation of vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure solutions.”
“Successful exploitation of the vulnerabilities in these affected products allows a malicious threat actor to move laterally, perform data exfiltration, and establish persistent system access, resulting in full compromise of target information systems,” it continued.
After disconnecting from the products, CISA tells agencies to continue threat hunting on any systems recently connected to the affected Ivanti devices.
Agencies should also continue monitoring any authentication or identity management services that could have been exposed; isolate those connected systems from enterprise resources, and continue to audit privilege-level access accounts, according to CISA’s directive.
In addition, CISA said agencies running the affected products “must assume domain accounts associated with the affected products have been compromised.” Therefore, CISA requires that by March 1, agencies “reset passwords twice for on premise accounts, revoke Kerberos tickets, and then revoke tokens for cloud accounts in hybrid deployments,” while cloud-based devices should be disabled “to revoke the device tokens.”
For agencies interested in bringing Ivanti products back into service, CISA lays out a series of steps they must take, starting with exporting the configuration settings and completing a factory reset of the product.
“This supplemental direction remains in effect until CISA determines that all agencies operating affected software have performed all required actions from this direction or the direction is terminated through other appropriate action,” CISA said.
Agencies must report back to CISA on the required actions by Monday, Feb. 5.
