Ivanti Connect Secure (ICS) and Ivanti Policy Secure gateways contain a critical authentication bypass vulnerability (CVE-2023-46805) in their web component. This allows unauthenticated remote attackers to access restricted resources, often used in conjunction with CVE-2024-21887 for full system compromise.
FREQUENTLY ASKED
What is CVE-2023-46805 and why does it matter?
CVE-2023-46805 is a high-severity authentication bypass vulnerability in the web component of Ivanti Connect Secure and Policy Secure. It allows remote attackers to bypass security checks and access restricted resources. This is critical because it is currently being exploited in the wild, often in tandem with command injection vulnerabilities to achieve full remote code execution.
Which versions of Ivanti Connect Secure and Policy Secure are affected?
According to source data, the affected versions include Ivanti Connect Secure (ICS) 9.1R18, 22.6R2, and 22.6R1, as well as Ivanti Policy Secure. The vulnerability impacts both the 9.x and 22.x branches of the web component in these products.
Has a patch or mitigation been released for CVE-2023-46805?
Yes, mitigations have been released. Ivanti provides a specific XML mitigation file that can be imported into affected gateways to block the exploit path. Users should consult the official Ivanti portal at the provided patch URL for the most current mitigation and patching instructions.
What is the remediation deadline for CVE-2023-46805?
The remediation deadline is 2024-01-22. This deadline is significant for compliance, particularly for federal agencies following CISA's Binding Operational Directive (BOD) 22-01, which mandates the mitigation of known exploited vulnerabilities to protect organizational infrastructure from active threats.
How can I check if my Ivanti instance is affected by this vulnerability?
Organizations should verify their current software version against the affected versions list (9.1R18, 22.6R2, etc.). Furthermore, Ivanti recommends running the Internal Integrity Checker Tool to look for signs of unauthorized modifications or compromise within the gateway environment.
CVE-2023-46805 represents a critical failure in the authentication logic of Ivanti Connect Secure (ICS, formerly Pulse Connect Secure) and Ivanti Policy Secure gateways. With a CVSS score of 8.2 and an EPSS score in the 100th percentile, this vulnerability is not a theoretical threat—it is an actively exploited zero-day. The vulnerability resides in the web component of the gateway, allowing a remote attacker to bypass mandatory control checks. This bypass serves as the primary entry point for attackers, who typically chain it with other vulnerabilities to gain persistence and execute arbitrary commands within highly sensitive corporate and government environments. All administrators must act before the January 22, 2024, remediation deadline to maintain compliance and security posture.
Technical Deep Dive: The Mechanics of Authentication Bypass
The core of CVE-2023-46805 lies in the improper implementation of authentication checks within the Ivanti web engine. This engine is responsible for handling administrative requests and user sessions. By manipulating specific web endpoints, an attacker can convince the system that they have already been authenticated or that the requested resource does not require a valid session.
CWE-287: Understanding Improper Authentication
CWE-287 occurs when an application incorrectly validates the identity of a user. In the context of Ivanti gateways, the vulnerability allows an external entity to "skip" the gatekeeper. Imagine a secure facility where the guard is instructed to check badges. CVE-2023-46805 is akin to a side door that was accidentally left unlocked and labeled as an "emergency exit only" but leads directly into the high-security vault. Because the web component fails to enforce control checks across all its API endpoints, the attacker can move through these unprotected paths to access restricted internal data.
The Attack Chain: From Bypass to Command Execution
While CVE-2023-46805 allows for unauthorized access to data, its true danger is realized when combined with CVE-2024-21887, a command injection vulnerability. In a typical attack scenario, the bypass (CVE-2023-46805) is used to reach a restricted web endpoint that is normally only accessible to administrators. Once that endpoint is reached, the attacker exploits the command injection flaw (CVE-2024-21887) to execute shell commands with root privileges. This "one-two punch" provides the attacker with a reverse shell, allowing them to pivot from the VPN gateway into the internal network, steal credentials, and deploy ransomware.
Who Is Affected: Impact and Compliance
This vulnerability impacts organizations globally that rely on Ivanti Connect Secure or Ivanti Policy Secure for remote access and Network Access Control (NAC). Because these devices sit at the edge of the network, they are prime targets for state-sponsored actors and ransomware groups.
Compliance and CISA BOD 22-01
The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. Under Binding Operational Directive (BOD) 22-01, federal civilian executive branch agencies are required to remediate CVE-2023-46805 by the January 22, 2024 deadline. For private sector organizations, this date serves as a critical benchmark for risk management; failing to meet this deadline significantly increases the likelihood of a successful breach, as exploitation tools are now widely available in the threat actor community.
Official Remediation Steps
Ivanti has provided a multi-step remediation process. Since a full software patch may take time to deploy across all versions, a temporary mitigation is essential.
Download the Mitigation XML: Access the official Ivanti Security Portal (referencing the patch URL provided) and download the mitigation.release.20240105.1.xml file (or the latest version specified by the vendor).
Apply the Mitigation: Import the XML file into the Ivanti gateway via the administration console. This will disable the vulnerable web components without requiring a full system reboot.
Run the Integrity Checker: Download and execute the latest version of the Ivanti Internal Integrity Checker Tool. This tool scans for signs of file system tampering that may have occurred if the device was compromised prior to the mitigation.
Monitor Logs: Review logs for unusual activity originating from the internal IP addresses of the VPN gateway, specifically looking for unauthorized lateral movement.
Upgrade Firmware: As soon as the official permanent patch is released for your specific version (e.g., 9.1R18, 22.6R2), perform a full firmware upgrade to permanently close the vulnerability.
Security Best Practices for Ivanti Gateways
To defend against authentication bypasses and similar edge-device attacks, organizations should adopt the following defensive posture:
Implement Strict Geo-Fencing: If your workforce is primarily located in one region, block authentication attempts from countries where you have no business presence to reduce the attack surface.
Enforce MFA (Multi-Factor Authentication): While this specific vulnerability bypasses authentication, MFA remains a critical defense against the credential theft that often follows an initial breach.
Egress Filtering: Limit the ability of your VPN gateway to initiate outbound connections to the internet. This can prevent an attacker from establishing a reverse shell even if they successfully exploit a vulnerability.
Regular Integrity Audits: Schedule weekly runs of vendor-provided integrity tools to detect unauthorized changes to the underlying OS or web components.
Network Segmentation: Treat the VPN gateway as a semi-trusted zone. Use internal firewalls to restrict what internal resources the gateway can communicate with, ensuring that a compromise of the gateway does not mean an automatic compromise of the entire data center.
Rapid Patching Cycle: Establish a 24-hour emergency patching window for edge devices like VPNs and firewalls, as these are increasingly the primary targets for zero-day exploitation.