Supplemental Direction V2: ED 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities

Original Issuance Date: February 9, 2024

Updated March 4, 2024

This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Supplemental Direction V2: Emergency Directive 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities. 

Section 3553(h) of title 44, U.S. Code, authorizes the Secretary of Homeland Security, in response to a known or reasonably suspected information security threat, vulnerability, or incident that represents a substantial threat to the information security of an agency, to “issue an emergency directive to the head of an agency to take any lawful action with respect to the operation of the information system, including such systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information, for the purpose of protecting the information system from, or mitigating, an information security threat.” 44 U.S.C. § 3553(h)(1)–(2). Section 2205(3) of the Homeland Security Act of 2002, as amended, delegates this authority to the Director of the Cybersecurity and Infrastructure Security Agency. 6 U.S.C. § 655(3). Federal agencies are required to comply with these directives. 44 U.S.C. § 3554 (a)(1)(B)(v). These directives do not apply to statutorily defined “national security systems” nor to systems operated by the Department of Defense or the Intelligence Community. 44 U.S.C. § 3553(d), (e)(2), (e)(3), (h)(1)(B).  

See Emergency Directive 24-01 for the Original Directive issued on January 19, 2024.

Background 

This Supplemental Direction supersedes Supplemental Direction V1: Emergency Directive (ED) 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities issued on January 31, 2024. This version also supersedes Required Action 4 of ED 24-01. All other provisions of ED 24-01 remain in effect. This Supplemental Direction applies to any federal agency running affected products (Ivanti Connect Secure or Ivanti Policy Secure solutions).

On February 8, 2024, Ivanti reported a new vulnerability (CVE-2024-22024) affecting a limited number of supported Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1, and 22.5R2.2) and Ivanti Policy Secure (version 22.5R1.1) solutions. This newly disclosed vulnerability enables an attacker to access restricted resources without authentication. On February 8, 2024, Ivanti released new security updates that replace the previous updates released on January 31, 2024, and February 1, 2024, and, additionally, address CVE-2024-22024. This Supplemental Direction V2 adds a requirement for agencies running those software versions to apply appropriate security updates.

As noted in Supplemental Direction V1, threat actors continue to leverage vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure solutions to capture credentials and drop webshells that enable further compromise of enterprise networks. Some threat actors have recently developed workarounds to earlier mitigations and detection methods and have been able to exploit weaknesses, move laterally, and escalate privileges without detection. CISA is aware of instances in which threat actors have minimized traces of their intrusion, limiting the effectiveness of the external integrity checker tool (ICT).

Based on observations during incident response activities and available industry reporting, as supplemented by CISA’s research findings, network defenders should assume a sophisticated threat actor may deploy rootkit-level persistence that can survive a factory reset and lay dormant for an arbitrary amount of time. Continuing to operate Ivanti Connect Secure and Ivanti Policy Secure devices in an enterprise environment carries significant risk of adversary access to and persistence on these devices.

Required Actions 

Agencies running affected products (Ivanti Connect Secure or Ivanti Policy Secure solutions), or returning those products to service, are required to immediately perform the following tasks (Note: for agencies that have not returned any affected products to service and do not intend to do so, no further action is required):

1. For agencies that returned affected products to service following ED 24-01 Supplemental Direction V1, apply the February 8 update from Ivanti to address CVE-2024-22024 by 11:59PM Monday February 12, 2024. 
2. Per Supplemental Direction V1, agencies were required to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products by 11:59PM on Friday February 2, 2024, and follow a set of instructions before bringing any product back into service. If an agency did not previously complete the initial requirement to disconnect all instances of the affected products, do so immediately. For all affected products:
   1. Continue threat hunting on any systems connected to—or recently connected to—the affected Ivanti device.
   2. Monitor the authentication or identity management services that could be exposed. 
   3. Isolate the systems from any enterprise resources to the greatest degree possible. 
   4. Continue to audit privilege level access accounts. 
3. To bring any additional products back into service, agencies are still required to perform the following actions:

   1. Export configuration settings.  

   2. Complete a factory reset per Ivanti’s instructions. 

      1. Note: If an agency completed a factory reset of the Ivanti device before applying the previously released patches on January 31 and February 1, a factory reset is not required. 

   3. Rebuild the device per Ivanti’s instructions AND upgrade to a supported software version through Ivanti’s download portal (there is no cost to upgrade). 

   4. Reimport the configuration.

      1. If mitigation XML files were applied, review the Ivanti KB and customer portal for directions on how to remove the mitigations after upgrading. 

   5. Revoke and reissue any connected or exposed certificates, keys, and passwords, to include the following: 
      1. Reset the admin enable password. 
      2. Reset stored application programming interface (API) keys. 
      3. Reset the password of any local user defined on the gateway, including service accounts used for auth server configuration(s). 

4. For all products returned to service, apply future updates that address the vulnerabilities referenced in this Directive and Supplemental Direction as they become available and no later than 48 hours following their release by Ivanti.  

5. Agencies running the affected products must assume domain accounts associated with the affected products have been compromised. By Friday March 1, 2024, agencies must:

   1. Reset passwords twice for on premise accounts, revoke Kerberos tickets, and then revoke tokens for cloud accounts in hybrid deployments. 

   2. For cloud joined/registered devices, disable devices in the cloud to revoke the device tokens. 

Agencies should carefully follow Ivanti’s instructions on securing affected products, including Ivanti's recent guidance:

• KB CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways 

• Recovery Steps Related to CVE-2023-46805 and CVE-2024-21887 (ivanti.com)

Reporting

By 11:59PM EST Wednesday February 14, 2024, and upon request going forward, report to CISA the status across all affected products. CISA will provide an updated reporting template.   

Report to CISA the status of actions under Requirement 5 by Friday March 1, 2024. 

CISA Actions 

1. CISA will provide agencies with a template that will be used for reporting agency actions following the issuance of this Supplemental Direction. 

2. CISA will continue efforts to identify instances and potential compromises associated with this threat activity, provide partner notifications, and will issue additional guidance and direction, as appropriate. 

3. CISA will provide technical assistance to agencies who are without internal capabilities sufficient to comply with this Supplemental Direction.  

4. By June 1, 2024, CISA will provide a report to the Secretary of Homeland Security, the National Cyber Director, the Director of the Office of Management and Budget, and the Federal Chief Information Security Officer identifying cross-agency status and outstanding issues. 

Duration 

This Supplemental Direction remains in effect until CISA determines that all agencies operating affected software have performed all required actions from this Direction or the Direction is terminated through other appropriate action. 

Additional Information  

Visit https://www.cisa.gov/news-events/directives or contact the following for: 

• General information, assistance, and reporting – CyberDirectives@cisa.dhs.gov 

• Reporting indications of compromise – central@cisa.dhs.gov