January ‘24: Exploited Exposures in VPN and Secure Remote Access Software

Cybersecurity threats in 2024 are heating up. In January alone, there were reportedly 4,645 publicly disclosed security incidents, with 29,530,829,012 known records breached. Several of these attacks were due to a handful of zero-day Common Vulnerabilities and Exposures (CVEs) that were exploited in targeted malware and ransomware attacks, a few of which involved secure remote access and VPN solutions. 

Below, we’ve compiled everything you need to know about the VPN vulnerabilities and exposures that threat actors used to target secure remote access and VPN users in January 2024. 

If you’ve experienced an attack due to a zero-day vulnerability, it is critical to secure your network and assets as quickly as possible. OpenVPN can help — watch our webinar replay to find out how to secure your hybrid workforce. 

Common Vulnerabilities and Exposures exploited by threat actors in January 2024

1. Ivanti Connect Secure (VPN) and Ivanti Policy Secure Gateways: Multiple Targeted Vulnerabilities 

What: In early January, Ivanti alerted customers of two zero-day vulnerabilities, in their corporate VPN product, formerly known as Pulse Connect Secure. CVE-2023-46805 and CVE-2024-21887 allow unauthorized command-injection attacks, exposing the systems to (unauthenticated) attackers. 

Essentially, these two vulnerabilities together allow an authenticated administrator to send crafted requests to execute code on affected appliances, bypassing authentication. 

Additionally, during the investigation of the prior two flaws, two more zero-day vulnerabilities were discovered. On January 31, Ivanti disclosed a privilege escalation vulnerability (CVE-2024-21888) and a server-side request forgery in the SAML component (CVE-2024-21893). 

The following Ivanti products contain (at the time of this posting) a server-side request forgery (SSRF) vulnerability in the SAML component that allows an attacker to access certain restricted resources without authentication: 

• Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure)
• Ivanti Policy Secure
• Ivanti Neurons 

According to initial reports, these vulnerabilities were targeted by an espionage-focused threat group in order to spread malware, as well as post-exploitation tools like PySoxy (tunneling proxy) and BusyBox.

In other words, this vulnerability is the equivalent of hackers walking in through an unlocked front door and dropping bugs and stink bombs all over your digital house.  

Who is impacted: Sources report that as many as 1,700 - 2,100 devices have been compromised from the first two reported vulnerabilities as of January 18. Further, nearly 20,000 vulnerable instances of the various Ivanti products have been identified as publicly exposed. 

These cybersecurity vulnerabilities impact anyone who uses Ivanti’s corporate VPN product, Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons. This includes small and midsize businesses who may not feel their data is at risk. 

If you use the previously mentioned Ivanti products as part of a suite of products in their platform, you may be at an increased risk of a data breach, malware, or other attack.  

Government and/or vendor recommendations: The US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to all government agencies to disconnect the impacted Ivanti products from their networks by end of Friday, February 2. The directive also requires agencies perform additional forensic analysis and clean-up steps in case they’ve already been compromised. CISA is also directing agencies who use Ivanti products to export their configuration, and rebuild the affected devices (performing a factory reset, updating firmware, importing the configuration back) to remove the previously applied mitigation xml file.

For Ivanti customers who are not affiliated with the US government, including small and midsize businesses, it is recommended to apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. Despite Ivanti’s previous plan for a “staggered patch,” the company is now advising their customers to “factory reset their appliance before applying the patch to prevent the threat actor from gaining upgrade persistence in your environment.”

2. Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability and Buffer Overflow Vulnerability

What: On January 17, the Citrix NetScaler Gateway corporate secure remote access (VPN), Identity and Access Management (IdAM), and SSO products were found to contain a code injection vulnerability (CVE-2023-6548).

The code injection vulnerability in NetScaler ADC and NetScaler Gateway allows an attacker with access to NSIP, CLIP or SNIP with management interface to perform Authenticated (low privileged) remote code execution on the Management Interface. Successful exploitation of this issue could lead to remote code execution (RCE) through the Management Interface.

Additionally, Citrix NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway contain a buffer overflow vulnerability (CVE-2023-6549) that allows for a denial-of-service when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. Successful exploitation of this issue could lead to a denial of service attack. 

It’s a bit like falling asleep with your door open – you don’t know who, or what, is hiding and compromising your network. 

Who is impacted: Citrix customers who use the customer-managed NetScaler ADC and NetScaler Gateway products are impacted. It is unknown how many users were impacted at this time. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action. 

If you use the previously mentioned Citrix products as part of a platform suite, you may be at an increased security risk until patched. 

Government and/or vendor recommendations: NetScaler has advised all customers of their self-managed products to perform the provided updates as soon as possible. Businesses of all sizes are urged to monitor for potential breaches and be aware that a breach or attack still may occur. 

Tips to improve your security posture 

If your security has been compromised in one of the vulnerabilities above, especially in a zero-day vulnerability, it’s critical to make sure your customer data is secure. A few steps you can take include: 

• Implement the tenets of zero trust to help thwart ransomware attacks, thereby enforcing multi-factor authentication and limiting access to internal systems. 
• Deploy ZTNA essentials for web applications and all TCP/IP application protocols. 
• Utilize an Intrusion Detection System and Intrusion Prevention System, or IDS/IPS, which are invaluable, readily available network security tools for mitigating malicious traffic and suspicious activity. 
• Use network segmentation to thwart DoS attacks and limit the spread of an attack.
• Monitor third-party audits when available for cybersecurity tools in your tech stack. 

Protect your network with OpenVPN

Ready to take the next step in improving your security posture before a breach can happen? Download OpenVPN’s award-winning CloudConnexa or Access Server for free and improve your security posture in under 20 minutes. Get started with free connections today.

Not ready to take the leap? We get it, it’s a big decision. Check out our other recent posts to stay up-to-date on the latest security news, trends, insights, and best practices.