Ivanti Pledges Security Overhaul the Day After 4 More Vulns Disclosed

  /     /     /  
Publicated : 23/11/2024   Category : security


Ivanti Pledges Security Overhaul the Day After 4 More Vulns Disclosed


So far this year, Ivanti has disclosed a total of 10 flaws — many of them critical — in its remote access products, and one in its ITSM product.



Ivanti CEO Jeff Abbott this week said his company will completely revamp its security practices even as the vendor disclosed another fresh set of bugs in its vulnerability-riddled Ivanti Connect Secure and Policy Secure remote access products.
In an open letter to customers, Abbott committed to a series of changes the company will make in the coming months to transform its security operating model following a relentless barrage of bug disclosures since January. The promised fixes include a complete do-over of Ivantis engineering, security, and vulnerability management processes and implementation of a new secure-by-design initiative for product development.
We have challenged ourselves to look critically at every phase of our processes, and every product, to ensure the highest level of protection for our customers, Abbott said,
in his statement
. We have already begun applying learning from recent incidents to make immediate improvements to our own engineering and security practices.
Some of the specific steps include embedding security into every stage of the software development life cycle and integrating new isolation and anti-exploit features in its products to minimize the potential impact of software vulnerabilities. The company will also improve its internal vulnerability discovery and management process and increase incentives for third-party bug hunters, Abbott said.
In addition, Ivanti will make more resources available to customers for finding vulnerability information and associated documentation and is committed to greater transformation and information sharing with customers, he added.
How much these commitments will help stem
growing customer disenchantment
with Ivanti remains unclear given the companys recent security track record. In fact, Abbots comments came one day after Ivanti disclosed
four new bugs in its Connect Secure and Policy Secure
gateway technologies and issued patches for each of them.
The disclosure followed a
similar incident less than two weeks ago
that involved two bugs in Ivantis Standalone Sentry and Neurons for ITSM products. Ivanti so far has disclosed a total of 11 vulnerabilities — including the four this week — in its technologies since Jan. 1. Many of them have been critical flaws — at least two were zero-days — in the companys remote access products, which attackers, including advanced persistent threat actors such as
Magnet Goblin,
have
exploited in mass fashion
. Concern over the potential for major breaches from some of these bugs prompted the US Cybersecurity and Infrastructure Security Agency (CISA) in January to order all civilian federal agencies to
take their Ivanti systems offline
and not reconnect the devices until fully remediated.
Security researcher and IANS Research faculty member Jake Williams says the vulnerability disclosures have prompted serious questions from Ivantis customers. Based on conversations Im having, especially with Fortune 500 clients, I honestly think its a bit of too little, too late, he says. The time to publicly make this commitment was more than a month ago. There is no question that the issues with the Ivanti VPN appliance (formerly Pulse) are making CISOs question the security of Ivantis many other products, he says.
The four new bugs Ivanti disclosed this week included two heap overflow vulnerabilities in the IPSec component of Connect Secure and Policy Secure, both of which the company characterized as high-severity risk for customers. One of the vulnerabilities, tracked as CVE-2024-21894, gives unauthenticated attackers a way to run arbitrary code on affected systems. The other, assigned as CVE-2024-22053, allows an unauthenticated remote attacker to read the contents from system memory under certain conditions. Ivanti described both vulnerabilities as allowing attackers to send maliciously crafted requests to trigger denial of service conditions.
The other two flaws — CVE-2024-22052 and CVE-2024-22023 — are two medium-severity vulnerabilities that attackers can exploit to cause denial-of-service conditions on affected systems. Ivanti said that as of April 2, it was not aware of any exploit activity in the wild targeting the vulnerabilities.
The steady stream of bug disclosures has raised questions about the risk that Ivantis products pose to more than 40,000 customers worldwide, with some expressing their frustration on
forums such as Reddit
. Just two years ago, Ivantis press releases claimed 96 of the Fortune 100 companies as its customers. In the latest release that number has declined nearly 12% to 85 companies. While the attrition might have to do with factors other than just security, some Ivanti rivals have begun to sense an opportunity. Cisco, for instance, has begun
offering incentives
— including a 90-day free trial — to try and get Ivanti VPN customers to migrate to its Secure Access platform so they can mitigate risk from Ivantis products.
Eric Parizo, an analyst with Omdia, says at least some of Ivantis challenges have to do with the fact that the companys product portfolio is the sum of numerous past acquisitions. The original products were developed at different times by different companies for different purposes using varying methods. This means the software quality, in particular with regard to software security, can be dramatically uneven, he says.
 Parizo says what Ivanti is doing now with its commitment towards improving security processes and procedures across the board is a step in the right direction. I would also like to see the vendor indemnify its customers for damages directly resulting from these vulnerabilities, as that will help restore confidence in future purchases, he says. Perhaps the one saving grace for Ivanti is that customers are so used to this sort of event, with cybersecurity vendors suffering countless similar incidents in recent years, that customers are more likely to forgive and forget.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Ivanti Pledges Security Overhaul the Day After 4 More Vulns Disclosed