Ivanti CEO Jeff Abbott said this week that his company will completely overhaul its security practices even as the vendor discovered another fresh set of bugs in its Ivanti Connect Secure and Policy Secure remote access products that are riddled with vulnerabilities.
In an open letter to customers, Abbott committed to a series of changes the company will make in the coming months to transform its security operating model after a relentless series of bug disclosures since January. The promised fixes include a complete overhaul of Ivanti’s engineering, security and vulnerability management processes and the implementation of a new secure-by-design initiative for product development.
Thorough overhaul
“We have challenged ourselves to take a critical look at every stage of our processes and every product to ensure the highest level of protection for our customers,” said Abbott, in his statement. “We have already begun to apply learnings from recent incidents to immediately improve our own engineering and security practices.”
Some of the specific steps include building security into every stage of the software development lifecycle and integrating new isolation and exploit protection features into your products to reduce the potential impact of software vulnerabilities. The company will also improve its internal vulnerability discovery and management process and increase incentives for third-party bug hunters, Abbott said.
In addition, Ivanti will make more resources available to customers to find vulnerability information and related documentation, and is committed to greater transformation and sharing of information with customers, he added.
How much will these commitments help stop growing customer disappointment with Ivanti remains unclear given the company’s recent safety record. In fact, Abbott’s comments came a day after Ivanti made the revelation four new bugs in its Connect Secure and Policy Secure access technologies and released patches for each of them.
The discovery followed a a similar incident less than two weeks ago which included two bugs in Ivanti’s Standalone Sentry and Neuron’s ITSM products. Ivanti has so far disclosed a total of 11 vulnerabilities — including four this week — in its technologies since January 1. Many of these were critical flaws — at least two were zero-days — in the company’s remote access products, which attackers, including advanced persistent threat actors such as “Magnet Goblin,“have massively exploited. Concerns about the potential for major breaches from some of these bugs prompted the US Cybersecurity and Infrastructure Security Agency (CISA) in January to order all civilian federal agencies to turn off your Ivanti systems and do not reconnect the devices until it is fully repaired.
Security researcher and IANS research faculty member Jake Williams says the vulnerability revelations have raised serious questions from Ivanti’s customers. “Based on the conversations I have, especially with Fortune 500 clients, I honestly think it’s a little too little, too late,” he says. “The time to publicly undertake this commitment was more than a month ago.” There’s no question that the problems with the Ivanti VPN appliance (formerly Pulse) are causing CISOs to question the security of many other Ivanti products, he says.
A fresh set of 4 bugs
The four new bugs discovered by Ivanti this week included two heap overflow vulnerabilities in IPSec components Connect Secure and Policy Secure, both of which the company characterized as high-severity risks to users. One of the vulnerabilities, tracked as CVE-2024-21894, gives unauthenticated attackers a way to run arbitrary code on affected systems. The second, assigned as CVE-2024-22053, allows an unauthorized remote attacker to read content from system memory under certain conditions. Ivanti described both vulnerabilities as allowing attackers to send maliciously crafted requests to trigger a denial of service condition.
The other two flaws—CVE-2024-22052 and CVE-2024-22023—are two medium-severity vulnerabilities that attackers can exploit to cause denial-of-service conditions on affected systems. Ivanti said that until April 2, he was not aware of any exploit activity in the wild targeting the vulnerabilities.
A steady stream of bug disclosures has raised questions about the risk Ivanti’s products pose to more than 40,000 customers worldwide, with some expressing frustration forums such as Reddit. Just two years ago, Ivanti’s press releases claimed that 96 of the Fortune 100 companies were its customers. In the last edition, that number dropped by almost 12% to 85 companies. While the decline may have to do with factors other than safety, some of Ivanti’s rivals have begun to sense an opportunity. Cisco, for example, started offering incentives — including a 90-day free trial — to try to get Ivanti VPN users to migrate to its Secure Access platform so they can “de-risk” Ivanti products.
Problems related to the acquisition?
Eric Parizo, an analyst at Omdia, says at least some of Ivanti’s challenges are related to the fact that the company’s product portfolio is the sum of a number of past acquisitions. “The original products were developed by different companies at different times for different purposes using different methods. This means that the quality of the software, especially in terms of software security, can be dramatically uneven,” he says.
Parizo says that what Ivanti is doing now with its commitment to improving security processes and procedures in all segments is a step in the right direction. “I would also like to see the vendor indemnify its customers for damages directly resulting from these vulnerabilities, as this will help restore confidence in future purchases,” he says. “Perhaps the only saving grace for Ivanti is that customers are so used to this type of event, with cybersecurity vendors suffering countless similar incidents in recent years, that customers are more likely to forgive and forget.”