Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Technology

State-backed Hackers Are Exploiting New Ivanti VPN Zero-Days - But No Patches Yet (techcrunch.com) 21

U.S. software giant Ivanti has confirmed that hackers are exploiting two critical-rated vulnerabilities affecting its widely-used corporate VPN appliance, but said that patches won't be available until the end of the month. From a report: Ivanti said the two vulnerabilities -- tracked as CVE-2023-46805 and CVE-2024-21887 -- were found in its Ivanti Connect Secure software. Formerly known as Pulse Connect Secure, this is a remote access VPN solution that enables remote and mobile users to access corporate resources over the internet. Ivanti said it is aware of "less than 10 customers" impacted so far by the "zero day" vulnerabilities, described as such given Ivanti had zero time to fix the flaws before they were maliciously exploited.
This discussion has been archived. No new comments can be posted.

State-backed Hackers Are Exploiting New Ivanti VPN Zero-Days - But No Patches Yet

Comments Filter:
  • Unacceptable (Score:4, Informative)

    by mysidia ( 191772 ) on Thursday January 11, 2024 @01:14PM (#64150191)

    it is aware of "less than 10 customers" impacted so far by t..

    Sorry, the one main job of your security product is to secure remote access. The acceptable number of customers, define as anyone using your product, to be impacted by remote code execution from the Unsecure side into a network appliance whose purpose is to provide security is in fact 0, Zero..

    People should never buy products from or by them again, ever, even if you do finally get those overdue patches out MUCH later than you should.

    • by Anonymous Coward

      Remember: these are the same jerks who got popped a few years back where it was then revealed that their VPN appliances were caching all credentials IN CLEARTEXT.

      • by unrtst ( 777550 )

        Juniper Networks Pulse -> Pulse Secure -> Ivanti Connect Secure
        Has that ever worked out well? IE: some company managing security software that was written by a company two steps removed / sold and passed on multiple times?

    • The acceptable number of customers, define as anyone using your product, to be impacted by remote code execution from the Unsecure side into a network appliance whose purpose is to provide security is in fact 0, Zero..

      Ideally, yes. In the real world, I'll settle for something like:
      * Are your products and services the best I can get for the price I'm willing to pay? I need to know I'm not being robbed blind.
      * Are you being honest about how good your products and services are? I need to know where my remaining vulnerabilities are.
      * What level of support/updates are available and at what price? What level of expert human support is available if I need it, and at what price?

      Oh, and if your company has a recent reputation

      • by mysidia ( 191772 )

        Ideally, yes. In the real world, I'll settle for something like ...

        No, you're kind of starting from an entirely bogus premise. Not breachable from the internet to the point of RCE is not perfection, and is pretty darned achievable from a VPN appliance. Providing the VPN itself is built on top of someone else's protocol stack (SSL) which has not been fundamentally compromised; the security of the SSL library itself is intact, and there is Not a low-level issue being attacked here.

        You can friggin star

        • by davidwr ( 791652 )

          Providing the VPN itself is built on top of someone else's protocol stack (SSL) which has not been fundamentally compromised; the security of the SSL library itself is intact, and there is Not a low-level issue being attacked here.

          Call me cynical, but software is complex. I won't bet my life on any currently-available, useful SSL library not having any as-yet-unknown bugs that, if found and exploited, would break the security model.

          In other words, unobtainium, at least for now.

          I'm not saying we shouldn't try. Your recommendations are a good start. Of course customers should hold vendors feet to the fire if they aren't trying as hard as reasonably possible.

          But if they are following "best practices" and someone in a well-funded gove

          • by mysidia ( 191772 )

            Call me cynical, but software is complex. I won't bet my life on any currently-available, useful SSL library
            In other words, unobtainium, at least for now.

            No. This is obtanium. And I got plenty of examples for you. Wireguard would be a good example. A linux server running Wireguard would be more secure than this thing, apparently. Appgate would be a good example. OpenVPN with a TLS arming key specified, or Heck.. a Squid server with your user required to run a fwknop command to open a firewall rule

      • The acceptable number of customers, define as anyone using your product, to be impacted by remote code execution from the Unsecure side into a network appliance whose purpose is to provide security is in fact 0, Zero..

        Ideally, yes. In the real world, I'll settle for something like:
        * Are your products and services the best I can get for the price I'm willing to pay? I need to know I'm not being robbed blind.
        * Are you being honest about how good your products and services are? I need to know where my remaining vulnerabilities are.
        * What level of support/updates are available and at what price? What level of expert human support is available if I need it, and at what price?

        Oh, and if your company has a recent reputation for making stupid mistakes and not handling them well, I will probably still look elsewhere even if the answers to the questions above are acceptable.

        I'd also want some assurances that only 5 eyes intelligence agencies had knowledge of the back doors.

    • it is aware of "less than 10 customers" impacted so far by t..

      Sorry, the one main job of your security product is to secure remote access. The acceptable number of customers, define as anyone using your product, to be impacted by remote code execution from the Unsecure side into a network appliance whose purpose is to provide security is in fact 0, Zero..

      People should never buy products from or by them again, ever, even if you do finally get those overdue patches out MUCH later than you should.

      Give them a break, they've been keeping this open for the NSA to use, and the other bad guys got hold of it *just* now. I don't think they are doing too badly.

  • by EvilSS ( 557649 ) on Thursday January 11, 2024 @01:14PM (#64150193)
    There was a truckload of CSVs for their desktop management suite now Pulse VPN is a problem... again. Wish I could say I was surprised. I did a lot of work with AppSense going back almost a decade before they were bought then bought again by what became Ivanti. Ivanti ruined that group and it went from a product I recommended regularly for Citrix/VDI deployments to one I actively recommend against.
    • by EvilSS ( 557649 )
      CVEs not CSVs
    • by gweihir ( 88907 )

      Probably moved to "cheaper than possible" "engineering", because nobody cares about security, right? And obviously, greed is good and must trump eberything else.

      Anybody wanting security should probably not buy their crappy products.

      • by EvilSS ( 557649 )
        Probably. All the devs and architects I knew there left or were let go. They also had a pretty good support staff in the UK, all gone within 18 months.

Keep up the good work! But please don't ask me to help.

Working...