Mitigation Advisory: Fortinet and Ivanti Exploitable Vulnerabilities

Summary

A series of critical and exploitable vulnerabilities have been recently discovered within Fortinet and Ivanti products, requiring immediate attention. These vulnerabilities notably affect Fortinet FortiOS appliances, FortiGate SSL VPN, Ivanti (formerly Pulse Secure) Connect Secure, and Ivanti Policy Secure devices.

Network edge appliances, especially SSL VPNs, are a frequent and lucrative attack vector for adversaries. Attackers can exploit these vulnerabilities within Fortinet and Ivanti network edge appliances to gain network access and install malicious code, creating a backdoor that can be utilized in future attacks. Sygnia urges CISOs, and network and security teams to take immediate action to secure your network as the situation continues to develop.

Immediate action is imperative, as malicious actors are actively exploiting the recently disclosed vulnerabilities – as verified by CISA reports about Fortinet and Ivanti. Sygnia has analyzed these exploits, and is armed with effective mitigation strategies.

If you suspect that you are facing a potential breach, Sygnia’s team stands ready to be your trusted partner in remediation and recovery. Sygnia has faced down some of these specific vulnerabilities before, and many other similar ones, successfully assisting numerous clients in mitigating the impact of these vulnerabilities, and restoring clients to a robust security posture.

To learn more about Sygnia’s incident Response services, click here.

If you were impacted by this attack or are seeking guidance on how to prevent similar attacks, please contact us  via email contact@sygnia.co or our 24 hotline +1-877-686-8680

Technical Details

Fortinet

Products Affected:

• FortiOS
• FortiProxy
• FortiPAM
• FortiSwitchManager

For affected versions, please refer to the vendor’s advisories listed below.

Mitigation:

1. Identify all affected Fortinet appliances and products in the environment.
2. If you are unable to immediately patch the affected appliances, it is advised to apply appropriate workarounds:
   1. For CVE-2024-21762 (sslvpnd), disabling SSL VPN will mitigate the risk, while preventing remote access from employees using this service.
   2. For CVE-2024-23113 (fgfmd), removing FGFM access for each interface will mitigate the risk. This will disable FortiManager discovery capabilitie.
   3. In any case, ensure to disable the features if they are not in active use, to reduce the general attack surface.

3. Upgrade to a mitigated version according to the official Fortinet advisories, listed above.
4. After upgrading and rebooting the appliances, FortiGate devices perform a system integrity check to search for files that have been tampered with. If there are any failures in the integrity check, a log is generated with ID 20234. It is advised to search for this event, and if tampering is identified, contact Sygnia for incident response support. For more information about this event, please see: https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/226732/real-time-file-system-integrity-checking
5. In any case, conduct proactive monitoring and threat hunts within the environment to look for other indicators, including behavioral, of compromise.

Ivanti

Products Affected:

• Ivanti Connect Secure (formerly known as Pulse Connect Secure)
• Ivanti Policy Secure
• Ivanti Neurons for Zero Trust Access (ZTA) Gateways

For affected versions, please refer to the vendor’s advisories listed below.

Mitigation:

1. Identify all affected Ivanti products in the environment.
2. Utilize Ivanti’s Integrity Assurance tool on each appliance. If the tool reports on any ‘mis-matched’ files (as seen in the screenshot below) or ‘newly detected files’, the appliance might be infected with malware. The tool can be found at https://forums.ivanti.com/s/article/KB44755

3. If no files are detected, back up the appliances, and upgrade to the latest version as outlined in the official guidance: https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways
   1. Please note that there have been unofficial reports in social media that functionality for SAML authentication may be negatively impacted after applying this upgrade.

4. If file mismatches are detected, keep the appliances quarantined, as the appliances may have been exploited.
   1. Send a request to Ivanti customer support, and request decrypted images of the Ivanti appliances. Sygnia can assist with the analysis of the decrypted images.
   2. Conduct a factory reset of the appliances and restore the appliances with the specified versions. Please notice that factory reset erases any evidence usable for investigation and takes 3-4 hours.
   3. Rotate all stored credentials (e.g., API keys, certificates, admin password, local users). This may affect the Ivanti VPN’s performance and reliability unless the new credentials are properly synced with the dependent devices, services, and applications.
5. In any case, conduct proactive monitoring and threat hunts within the environment to look for other indicators, including behavioral, of compromise.

To learn more about Sygnia’s incident Response services, click here.

If you were impacted by this attack or are seeking guidance on how to prevent similar attacks, please contact us  via email contact@sygnia.co or our 24 hotline +1-877-686-8680