State-backed Hackers Are Exploiting New Ivanti VPN Zero-Days - But No Patches Yet (techcrunch.com) 21
U.S. software giant Ivanti has confirmed that hackers are exploiting two critical-rated vulnerabilities affecting its widely-used corporate VPN appliance, but said that patches won't be available until the end of the month. From a report: Ivanti said the two vulnerabilities -- tracked as CVE-2023-46805 and CVE-2024-21887 -- were found in its Ivanti Connect Secure software. Formerly known as Pulse Connect Secure, this is a remote access VPN solution that enables remote and mobile users to access corporate resources over the internet. Ivanti said it is aware of "less than 10 customers" impacted so far by the "zero day" vulnerabilities, described as such given Ivanti had zero time to fix the flaws before they were maliciously exploited.
Unacceptable (Score:4, Informative)
it is aware of "less than 10 customers" impacted so far by t..
Sorry, the one main job of your security product is to secure remote access. The acceptable number of customers, define as anyone using your product, to be impacted by remote code execution from the Unsecure side into a network appliance whose purpose is to provide security is in fact 0, Zero..
People should never buy products from or by them again, ever, even if you do finally get those overdue patches out MUCH later than you should.
Re: (Score:1)
Remember: these are the same jerks who got popped a few years back where it was then revealed that their VPN appliances were caching all credentials IN CLEARTEXT.
Re: (Score:2)
Juniper Networks Pulse -> Pulse Secure -> Ivanti Connect Secure
Has that ever worked out well? IE: some company managing security software that was written by a company two steps removed / sold and passed on multiple times?
Perfection is unobtanium (Score:1)
The acceptable number of customers, define as anyone using your product, to be impacted by remote code execution from the Unsecure side into a network appliance whose purpose is to provide security is in fact 0, Zero..
Ideally, yes. In the real world, I'll settle for something like:
* Are your products and services the best I can get for the price I'm willing to pay? I need to know I'm not being robbed blind.
* Are you being honest about how good your products and services are? I need to know where my remaining vulnerabilities are.
* What level of support/updates are available and at what price? What level of expert human support is available if I need it, and at what price?
Oh, and if your company has a recent reputation
Re: (Score:3)
Ideally, yes. In the real world, I'll settle for something like ...
No, you're kind of starting from an entirely bogus premise. Not breachable from the internet to the point of RCE is not perfection, and is pretty darned achievable from a VPN appliance. Providing the VPN itself is built on top of someone else's protocol stack (SSL) which has not been fundamentally compromised; the security of the SSL library itself is intact, and there is Not a low-level issue being attacked here.
You can friggin star
Re: (Score:1)
Providing the VPN itself is built on top of someone else's protocol stack (SSL) which has not been fundamentally compromised; the security of the SSL library itself is intact, and there is Not a low-level issue being attacked here.
Call me cynical, but software is complex. I won't bet my life on any currently-available, useful SSL library not having any as-yet-unknown bugs that, if found and exploited, would break the security model.
In other words, unobtainium, at least for now.
I'm not saying we shouldn't try. Your recommendations are a good start. Of course customers should hold vendors feet to the fire if they aren't trying as hard as reasonably possible.
But if they are following "best practices" and someone in a well-funded gove
Re: (Score:2)
Call me cynical, but software is complex. I won't bet my life on any currently-available, useful SSL library
In other words, unobtainium, at least for now.
No. This is obtanium. And I got plenty of examples for you. Wireguard would be a good example. A linux server running Wireguard would be more secure than this thing, apparently. Appgate would be a good example. OpenVPN with a TLS arming key specified, or Heck.. a Squid server with your user required to run a fwknop command to open a firewall rule
Re: (Score:2)
The acceptable number of customers, define as anyone using your product, to be impacted by remote code execution from the Unsecure side into a network appliance whose purpose is to provide security is in fact 0, Zero..
Ideally, yes. In the real world, I'll settle for something like:
* Are your products and services the best I can get for the price I'm willing to pay? I need to know I'm not being robbed blind.
* Are you being honest about how good your products and services are? I need to know where my remaining vulnerabilities are.
* What level of support/updates are available and at what price? What level of expert human support is available if I need it, and at what price?
Oh, and if your company has a recent reputation for making stupid mistakes and not handling them well, I will probably still look elsewhere even if the answers to the questions above are acceptable.
I'd also want some assurances that only 5 eyes intelligence agencies had knowledge of the back doors.
Re: (Score:2)
it is aware of "less than 10 customers" impacted so far by t..
Sorry, the one main job of your security product is to secure remote access. The acceptable number of customers, define as anyone using your product, to be impacted by remote code execution from the Unsecure side into a network appliance whose purpose is to provide security is in fact 0, Zero..
People should never buy products from or by them again, ever, even if you do finally get those overdue patches out MUCH later than you should.
Give them a break, they've been keeping this open for the NSA to use, and the other bad guys got hold of it *just* now. I don't think they are doing too badly.
Ivanti is having a month! (Score:3)
Re: (Score:2)
Re: (Score:1)
It really was a truckload... (Score:2)
... of backup tapes ... full of spreadsheets ... full of CVEs.
*obligatory note for the humor impaired lawyers who might be reading this: I am joking. I know of no such actual truck related to the issue at hand.*
Re: (Score:2)
You need a VCS, maybe CVS, to maintain the CSV files keeping track of all the CVEs
Re: (Score:2)
Probably moved to "cheaper than possible" "engineering", because nobody cares about security, right? And obviously, greed is good and must trump eberything else.
Anybody wanting security should probably not buy their crappy products.
Re: (Score:2)
Re: (Score:2)
Naa, that would mean having some people on staff that have some clue about security. These cost money! Cannot be wasting money on security.