This advisory is for organizations that use Ivanti Connect Secure as a VPN solution, Ivanti Policy Secure as a network access control solution, or ZTA gateways to control access to organizational applications. If your organization does not use these Ivanti products, this notification may be discarded.
Summary
Ivanti has released a patch to address an XXE vulnerability for Ivanti Connect Secure, Ivanti Policy Secure, and ZTA Gateways. XML External Entity (XXE) Processing is an attack that may be used against a weakly configured XML parser to cause it to process a document with XML entities that contain URIs resolving to internal resources which reside outside of the intended sphere of control, causing the product to embed restricted documents into its output. This vulnerability may allow a remote attacker to access sensitive resources within the organization without having to provide authentication.
CVE-2024-22024 – (XXE) for Ivanti Connect Secure and Ivanti Policy Secure
CSVVv3: 8.3
Affected Platforms
Ivanti Connect Secure v. 9.x, 22.x
Ivanti Policy Secure
Mitigations
From Ivanti: “Customers who applied the patch released on 31 January or 1 February, and completed a factory reset of their appliance, do not need to factory reset their appliances again.”
Affected Versions |
Fixed Version |
Ivanti Connect Secure |
|
9.1R14.4 |
9.1R14.5 |
9.1R17.2 |
9.1R17.3 |
9.1R18.3 |
9.1R18.4 |
22.4R2.2 |
2.4R2.3 |
22.5R1.1 |
22.5R1.2 |
22.5R2.2 |
22.5R2.3 |
|
22.6R2.2 |
Ivanti Policy Secure |
|
22.5R1.1 |
9.1R17.3 |
9.1R18.4 |
|
|
22.5R1.2 |
ZTA Gateways |
|
22.6R1.3 |
22.5R1.6 |
22.6R1.5 |
|
|
22.6R1.7 |
Additional Resources
https://www.hackerone.com/knowledge-center/xxe-complete-guide-impact-examples-and-prevention