Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Free Cyber ServicesSecure by design Secure Our WorldShields UpReport A Cyber Issue

Cybersecurity & Infrastructure Security Agency logo America’s Cyber Security Defense Agency National Coordinator For Critical Infrastructure Security and ResilienceCybersecurity & Infrastructure Security Agency logo America’s Cyber Security Defense Agency National Coordinator For Critical Infrastructure Security and Resilience
CISA Logo

Search

 

America's Cyber Defense Agency
 
  • Topics
    Cybersecurity Best Practices
    Cyber Threats and Advisories
    Critical Infrastructure Security and Resilience
    Election Security
    Emergency Communications
    Industrial Control Systems
    Information and Communications Technology Supply Chain Security
    Partnerships and Collaboration
    Physical Security
    Risk Management
    How can we help?
    GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help LocallyFaith-Based CommunityExecutivesHigh-Risk Communities
  • Spotlight
  • Resources & Tools
    All Resources & Tools
    Services
    Programs
    Resources
    Training
    Groups
  • News & Events
    News
    Events
    Cybersecurity Alerts & Advisories
    Directives
    Request a CISA Speaker
    Congressional Testimony
    CISA Conferences
    CISA Live!
  • Careers
    Benefits & Perks
    HireVue Applicant Reasonable Accommodations Process
    Hiring
    Resume & Application Tips
    Students & Recent Graduates
    Veteran and Military Spouses
  • About
    Divisions & Offices
    Regions
    Leadership
    Doing Business with CISA
    Site Links
    CISA GitHub
    CISA Central
    Contact Us
    Subscribe
    Transparency and Accountability
    Policies & Plans

Free Cyber ServicesSecure by design Secure Our WorldShields UpReport A Cyber Issue

Breadcrumb
  1. Home
  2. News & Events
  3. Cybersecurity Directives
  4. Supplemental Direction V2: ED 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities
Share:

News & Events

  • News
  • Events
  • Cybersecurity Alerts & Advisories
  • Directives
  • Request a CISA Speaker
  • Congressional Testimony
  • CISA Conferences
  • CISA Live!
Emergency Directives

Supplemental Direction V2: ED 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities

February 09, 2024
Related topics:
Cybersecurity Best Practices
Emergency Directive 24-01 Header

Original Issuance Date: February 9, 2024

Updated March 4, 2024

This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Supplemental Direction V2: Emergency Directive 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities. 

Section 3553(h) of title 44, U.S. Code, authorizes the Secretary of Homeland Security, in response to a known or reasonably suspected information security threat, vulnerability, or incident that represents a substantial threat to the information security of an agency, to “issue an emergency directive to the head of an agency to take any lawful action with respect to the operation of the information system, including such systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information, for the purpose of protecting the information system from, or mitigating, an information security threat.” 44 U.S.C. § 3553(h)(1)–(2). Section 2205(3) of the Homeland Security Act of 2002, as amended, delegates this authority to the Director of the Cybersecurity and Infrastructure Security Agency. 6 U.S.C. § 655(3). Federal agencies are required to comply with these directives. 44 U.S.C. § 3554 (a)(1)(B)(v). These directives do not apply to statutorily defined “national security systems” nor to systems operated by the Department of Defense or the Intelligence Community. 44 U.S.C. § 3553(d), (e)(2), (e)(3), (h)(1)(B).  

See Emergency Directive 24-01 for the Original Directive issued on January 19, 2024.

Background 

This Supplemental Direction supersedes Supplemental Direction V1: Emergency Directive (ED) 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities issued on January 31, 2024. This version also supersedes Required Action 4 of ED 24-01. All other provisions of ED 24-01 remain in effect. This Supplemental Direction applies to any federal agency running affected products (Ivanti Connect Secure or Ivanti Policy Secure solutions).

On February 8, 2024, Ivanti reported a new vulnerability (CVE-2024-22024) affecting a limited number of supported Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1, and 22.5R2.2) and Ivanti Policy Secure (version 22.5R1.1) solutions. This newly disclosed vulnerability enables an attacker to access restricted resources without authentication. On February 8, 2024, Ivanti released new security updates that replace the previous updates released on January 31, 2024, and February 1, 2024, and, additionally, address CVE-2024-22024. This Supplemental Direction V2 adds a requirement for agencies running those software versions to apply appropriate security updates.

As noted in Supplemental Direction V1, threat actors continue to leverage vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure solutions to capture credentials and drop webshells that enable further compromise of enterprise networks. Some threat actors have recently developed workarounds to earlier mitigations and detection methods and have been able to exploit weaknesses, move laterally, and escalate privileges without detection. CISA is aware of instances in which threat actors have minimized traces of their intrusion, limiting the effectiveness of the external integrity checker tool (ICT).

Based on observations during incident response activities and available industry reporting, as supplemented by CISA’s research findings, network defenders should assume a sophisticated threat actor may deploy rootkit-level persistence that can survive a factory reset and lay dormant for an arbitrary amount of time. Continuing to operate Ivanti Connect Secure and Ivanti Policy Secure devices in an enterprise environment carries significant risk of adversary access to and persistence on these devices.

Required Actions 

Agencies running affected products (Ivanti Connect Secure or Ivanti Policy Secure solutions), or returning those products to service, are required to immediately perform the following tasks (Note: for agencies that have not returned any affected products to service and do not intend to do so, no further action is required):

  1. For agencies that returned affected products to service following ED 24-01 Supplemental Direction V1, apply the February 8 update from Ivanti to address CVE-2024-22024 by 11:59PM Monday February 12, 2024. 
  2. Per Supplemental Direction V1, agencies were required to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products by 11:59PM on Friday February 2, 2024, and follow a set of instructions before bringing any product back into service. If an agency did not previously complete the initial requirement to disconnect all instances of the affected products, do so immediately. For all affected products:
    1. Continue threat hunting on any systems connected to—or recently connected to—the affected Ivanti device.
    2. Monitor the authentication or identity management services that could be exposed. 
    3. Isolate the systems from any enterprise resources to the greatest degree possible. 
    4. Continue to audit privilege level access accounts. 
  3. To bring any additional products back into service, agencies are still required to perform the following actions:
    1. Export configuration settings.  

    2. Complete a factory reset per Ivanti’s instructions. 

      1. Note: If an agency completed a factory reset of the Ivanti device before applying the previously released patches on January 31 and February 1, a factory reset is not required. 

    3. Rebuild the device per Ivanti’s instructions AND upgrade to a supported software version through Ivanti’s download portal (there is no cost to upgrade). 

    4. Reimport the configuration.

      1. If mitigation XML files were applied, review the Ivanti KB and customer portal for directions on how to remove the mitigations after upgrading. 

    5. Revoke and reissue any connected or exposed certificates, keys, and passwords, to include the following: 
      1. Reset the admin enable password. 
      2. Reset stored application programming interface (API) keys. 
      3. Reset the password of any local user defined on the gateway, including service accounts used for auth server configuration(s). 
  4. For all products returned to service, apply future updates that address the vulnerabilities referenced in this Directive and Supplemental Direction as they become available and no later than 48 hours following their release by Ivanti.  

  5. Agencies running the affected products must assume domain accounts associated with the affected products have been compromised. By Friday March 1, 2024, agencies must:

    1. Reset passwords twice for on premise accounts, revoke Kerberos tickets, and then revoke tokens for cloud accounts in hybrid deployments. 

    2. For cloud joined/registered devices, disable devices in the cloud to revoke the device tokens. 

Agencies should carefully follow Ivanti’s instructions on securing affected products, including Ivanti's recent guidance:

  • KB CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways 

  • Recovery Steps Related to CVE-2023-46805 and CVE-2024-21887 (ivanti.com)

Reporting

By 11:59PM EST Wednesday February 14, 2024, and upon request going forward, report to CISA the status across all affected products. CISA will provide an updated reporting template.   

Report to CISA the status of actions under Requirement 5 by Friday March 1, 2024. 

CISA Actions 

  1. CISA will provide agencies with a template that will be used for reporting agency actions following the issuance of this Supplemental Direction. 

  1. CISA will continue efforts to identify instances and potential compromises associated with this threat activity, provide partner notifications, and will issue additional guidance and direction, as appropriate. 

  1. CISA will provide technical assistance to agencies who are without internal capabilities sufficient to comply with this Supplemental Direction.  

  1. By June 1, 2024, CISA will provide a report to the Secretary of Homeland Security, the National Cyber Director, the Director of the Office of Management and Budget, and the Federal Chief Information Security Officer identifying cross-agency status and outstanding issues. 

Duration 

This Supplemental Direction remains in effect until CISA determines that all agencies operating affected software have performed all required actions from this Direction or the Direction is terminated through other appropriate action. 

Additional Information  

Visit https://www.cisa.gov/news-events/directives or contact the following for: 

  • General information, assistance, and reporting – CyberDirectives@cisa.dhs.gov 

  • Reporting indications of compromise – central@cisa.dhs.gov  

Tags

Topics: Cybersecurity Best Practices

Related Directives

Apr 02, 2024

ED 24-02: Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System

Jan 31, 2024

Supplemental Direction V1: ED 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities

Jan 19, 2024

ED 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities

Mar 03, 2021

ED 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities

Return to top
  • Topics
  • Spotlight
  • Resources & Tools
  • News & Events
  • Careers
  • About
Cybersecurity & Infrastructure Security Agency
  • Facebook
  • X
  • LinkedIn
  • YouTube
  • Instagram
  • RSS
CISA Central 1-844-Say-CISA SayCISA@cisa.dhs.gov
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
  • About CISA
  • Budget and Performance
  • DHS.gov
  • FOIA Requests
  • No FEAR Act
  • Office of Inspector General
  • Privacy Policy
  • Subscribe
  • The White House
  • USA.gov
  • Website Feedback