An onslaught of security flaws pushes Ivanti into security re-design

A day after patching a batch of high-severity vulnerabilities impacting its critical services, Ivanti has made public its plans to revamp security and vulnerability management controls.

In an open letter addressed to its customers and partners, Ivanti CEO, Jeff Abbott, said the revamp decision has been made in response to the frequent exploits and security incidents concerning a few of its products.

“Events in recent months have been humbling, and I want you to hear directly from me about the actions we are taking to ensure we emerge stronger, and our customers are more secure,” Abbott said in the letter. “We have challenged ourselves to look critically at every phase of our processes, and every product, to ensure the highest level of protection for our customers.”

The IT security software vendor, on Wednesday, patched four critical vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure Gateways, the company’s flagship VPN solutions, capable of allowing remote code execution (RCE) and denial of service (DoS) attacks on the affected systems.

Ivanti to undergo a security overhaul

According to the open letter, published along with a YouTube video by Abbott, Ivanti is planning a transformation of its security operating model which will include revamping core engineering, security, and vulnerability practices, ensuring “secure by design” methodologies for all products, partnering cyberdefence agencies, and ensuring transparent communication with customers and stakeholders.

“We are now executing a plan that accelerates security initiatives already underway and implements improved practices to anticipate, prevent, and protect against future threats,” Abbott added. “We have engaged the industry’s most recognized security and product development experts to support the Ivanti team’s review and to provide best-in-class execution guidance, ensuring we meet our commitment to you, so that your organization can work easily, securely, and with confidence.”

In addition, the letter points out that Ivanti plans to optimize its products for security which includes accelerating the stack modernization of its Network Security products (Ivanti Connect Secure, Policy Secure, and ZTA) with a “variety of isolation and anti-exploit technologies” to reduce the potential impact of future software defects.

Frequently flawed Ivanti products

The latest vulnerabilities include heap overflow (CVE-2024-21894 and CVE-2024-22053), Null Pointer Dereference (CVE-2024-22052), and XML entity expansion or XXE (CVE-2024-22023) flaws capable of allowing interaction-less RCE and DoS attacks. The criticality for these flaws ranges from 5.3 to 8.2 CVSS on a scale of 1 to 10.

These are only a few of the many flaws hitting Ivanti solutions this year, the most notorious being a couple of zero days discovered in January (CVE-2023-46805 and CVE-2024-21887) that found numerous in the wild, nation-state as well as financially motivated exploitations.

Subsequently, the US government agencies were ordered to take Ivanti VPN products offline as per the US Cybersecurity and Infrastructure Security Agency (CISA) directive. It isn’t a surprise that Ivanti should take such measures now to ensure the security of its products in the future. “The challenges we face are not unique in the software industry and we are committed to taking the necessary steps to lead the way for others,” Abbott added. “Threat actors are constantly evolving — know that we will be too.”