If the Ivanti VPN gateways are compromised due to having the recent vulnerabilities exploited, does that only affect the gateways and the network admin accounts logging in to manage the gateways, or is there any documented risks to remote networks connected through the gateway and the VPN clients (laptops etc.) connecting to the gateways?
If someone can own your gateway, that means they can own the rest of your landscape.
If I had one of those gateways I’d have just turned it off by now. I can’t wait to see all the lawsuits against Ivanti for using 20 year old code in a product not fit for sale.
Risks that I’ve seen include credential harvesters installed on the Ivanti boxes so users logging in may have compromised accounts.
Secondly I’ve seen them try to pivot from the Ivanti nodes to the network proper and try and get domain admin privileges.
Unfortunately Ivanti aren’t very clear about some of their stuff.
We’ve factory reset these boxes and running the latest patch, but will change soon to something else. Probably Tailscale or Cloudflare, of Twingate
The specific answer to your question is no, owning an Ivanti gateway doesn’t immediately grant someone control over servers or similar.
In practice though, it always lands there. The sort of company with these extremely legacy devices has absolutely no chance of having an internal network that’s totally locked down sufficiently. Beyond that, people logging on to the VPN are sending credentials there.
I’d be far more concerned about risk to internal networks behind that Ivanti device than the connecting laptop however.
You’re asking the wrong question. If there’s a remote code execution vulnerability in central infrastructure the risk is essentially 100% for that system, it depends on how well everything else is configured and maintained. It’s unrealistic to expect that level of exposure to be documented in any detailed manner.
“If someone can own your gateway, that means they can own the rest of your landscape.”
How though? Is anything outside the gateway itself actually listed as being within the scope of the vulnerability?
Throw in OpenZiti too - https://github.com/openziti. Its an open source zero trust network overlay which makes outbound connections so you can block all inbound incl. TCP/UDP. If you don’t want to host, SaaS versions of it exist.
So, the main risk would the VPN user getting their VPN credentials compromised when they authenticate to the VPN.
No risk of the laptop itself getting compromised.
…the gateway is literally providing access to your network?
Go learn networking and security basics.
Latest info I see on the Ivanti site is downplaying risk.
“We currently have no evidence of customers being impacted by CVE-2024-21888, at the time of disclosure we had no evidence of customers being impacted by CVE-2024-22024, and at time of disclosure we were aware of a limited number of customers impacted by CVE-2023-46805, CVE-2024-21887 and CVE-2024-21893. ”
No, the main risk is that your complete network gets owned. CISA literally ordered every government agency to unplug these devices.
What if it’s not on “your network,” or providing access to your network, but people on your network remotely connect to that VPN gateway to connect to some other third remote network?
They’re saving face. They’re “aware of” a limited number of customers “impacted.” On Day Zero they were “aware of” only 11 customers affected by CVE-2023-46805 then they agreed to a third party that by Day Two the number had jumped to several thousand.
Seeing how Ivanti isn’t sharing jack with their customers, why would customers be sharing their “impact” with Ivanti? They’ll become aware of it the next time some customers were scheduled for renewal.
And nothing changes the optics of running on an unsupported (EOL) OS. Especially considering how hard they (or their predecessors) went making it a blackbox.
And more!
From CISA:
Agencies running the affected products must assume domain accounts associated with the affected products have been compromised. By March 1, 2024, agencies must:
Reset passwords twice for on premise accounts, revoke Kerberos tickets, and then revoke tokens for cloud accounts in hybrid deployments.
For cloud joined/registered devices, disable devices in the cloud to revoke the device tokens.
The home network where the gateway is installed would be at risk.
I’m trying to determine if people remotely connecting in to those networks are at any risk and, if so, is that specifically called out anywhere?
If the network they connect to was owned, then what risk is there, if any, to remote users when someone external to that network VPNs in to it?
-
They can sniff all traffic going through the device
-
And this was my own paranoia and I don’t know how true this is, but if you have the ivanti installer service on your end points and a bad actor uploads a new client installer, when your users connect and get the upgrade prompt, you are essentially giving them system access (via the installer service) to the client machines.
-
The VPN client has options to run scripts on the end points when connecting. I never played with the feature, so I don’t know what context the scripts run under, but having a potentially pwned device have access to run scripts easily on my end points would not be good.
Then if compromised, the devices connected to the VPN gateway can potentially be compromised. From there, the local network could be compromised.
So still a risk
Yeah and from what I’ve heard of their “fixes” they have been… Unreliable at best. The best path is turning it off and walking away from it permanently imo.
Not really sure what you are getting at here. Typically a VPN gateway will be installed in an office/datacenter/etc and remote users will use a software VPN client to access resources at that site. Another possibility is that a corporate firewall can be deployed to a remote user’s home and configured to have a site-to-site IPsec VPN tunnel back to company. That firewall should be pretty locked down to prevent arbitrary access from the Internet.
It would be pretty uncommon for someone to setup a VPN gateway on a home network so that a user can access their home network remotely.
HOW can they be compromised?
Does it have a mechanism to send malware through the VPN client? Has that been shown as something actually happening or even capable of happening in this exploit?