FedRAMP Compliance & Emergency Directive

Cybersecurity Best Practices This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Emergency Directive 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities.

Background

CISA has observed widespread and active exploitation of vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure solutions, hereafter referred to as “affected products.” Successful exploitation of the vulnerabilities in these affected products allows a malicious threat actor to move laterally, perform data exfiltration, and establish persistent system access, resulting in full compromise of target information systems.

CISA has determined these conditions pose an unacceptable risk to Federal Civilian Executive Branch (FCEB) agencies and require emergency action. This determination is based on widespread exploitation of vulnerabilities by multiple threat actors, the prevalence of the affected products in the federal enterprise, the high potential for a compromise of agency information systems, the impact of a successful compromise, and the complexity of the proposed mitigations.

On January 10, 2024, Ivanti released the following information on the vulnerabilities in the affected products:

  • CVE-2023-46805 is a vulnerability found in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. This authentication bypass vulnerability allows a remote attacker to access restricted resources by bypassing control checks.
  • CVE-2024-21887 is a command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. This vulnerability, which can be exploited over the internet, allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the affected products.

When exploited in tandem, these vulnerabilities allow a malicious threat actor to execute arbitrary commands on a vulnerable product. Ivanti has released a temporary mitigation through an XML file that can be imported into affected products to make necessary configuration changes until the permanent update is available.

This Directive requires agencies to implement Ivanti’s published mitigation immediately to the affected products in order to prevent future exploitation. As this initial action does not remedy an active or past compromise, agencies are also required to run Ivanti’s External Integrity Checker Tool and take additional steps if indications of compromise are detected.

The required actions in this Emergency Directive align with requirements in CISA’s Binding Operational Directive 22-01 and do not conflict with any previous requirements.

Required Actions

Agencies running affected products (Ivanti Connect Secure or Ivanti Policy Secure solutions) are required to perform the following tasks:

As soon as possible and no later than 11:59 pm EST on Monday January 22, 2024, download and import “mitigation.release.20240107.1.xml,” via Ivanti’s download portal, into the affected product. Note that the XML file, once imported, impacts or degrades a number of product management features. Agencies must carefully follow (link is external) to ensure a correct import and avoid service outages.
  • Immediately after importing the XML file, download and run Ivanti’s External Integrity Checker Tool. Note: Although newer versions of the affected software include an integrated internal integrity checker, agencies are required to download and run the external tool, regardless of the current version installed. Running the External Integrity Checker Tool will reboot the affected product.
If indications of compromise are detected:
  • Remove compromised products from agency networks. Initiate incident analysis, preserve data from the compromised devices through the creation of forensic hard drive images, and hunt for indications of further compromise.
To bring a compromised product back into service, reset the device with the affected Ivanti solution software to factory default settings and download and import “mitigation.release.20240107.1.xml,” via Ivanti’s download portal, into the affected product. Note that importing the XML file may impact or degrade a number of product management features. Agencies must carefully follow (link is external) to ensure a correct import and avoid service outages.
To fully restore a compromised product and bring it back into service, agencies are also required to follow (link is external) and perform the following additional actions on all compromised products:
  • Revoke and reissue any stored certificates.
  • Reset the admin enable password.
  • Reset stored API keys.
  • Reset the password of any local user defined on the gateway, including service accounts used for auth server configuration(s).
  • Apply updates that address the two vulnerabilities referenced in this Directive to the affected products as they become available and no later than 48 hours following their release by Ivanti.
  • One week after the issuance of this Directive, report to CISA (using the provided template) a complete inventory of all instances of Ivanti Connect Secure and Ivanti Policy Secure products on agency networks, including details on actions taken and results.

Emergency Directive 24-01 CyberScope Reporting Template (XLSX, 1.23 MB ) These required actions apply to agency assets in any federal information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.

For federal information systems hosted in third-party environments, each agency is responsible for maintaining an inventory of its information systems hosted in those environments (FedRAMP Authorized or otherwise) and obtaining status updates pertaining to, and to ensure compliance with, this Directive. Agencies should work through the FedRAMP program office to obtain these updates for FedRAMP Authorized cloud service providers and work directly with service providers that are not FedRAMP Authorized.

All other provisions specified in this Directive remain applicable.

CISA Actions

  • CISA will provide agencies with a template that will be used for reporting agency actions following the issuance of this Directive.
  • CISA will continue efforts to identify instances and potential compromises associated with this threat activity, provide partner notifications, and will issue additional guidance and direction, as appropriate.
  • CISA will provide technical assistance to agencies who are without internal capabilities sufficient to comply with this Directive.
  • By June 1, 2024, CISA will provide a report to the Secretary of Homeland Security, the National Cyber Director, the Director of the Office of Management and Budget, and the Federal Chief Information Security Officer identifying cross-agency status and outstanding issues.

Duration

This Emergency Directive remains in effect until CISA determines that all agencies operating affected software have performed all required actions from this Directive or the Directive is terminated through other appropriate action.

Additional Information

https://www.cisa.gov/news-events/directives or contact the following for:

ED 21-04: Mitigate Windows Print Spooler Service Vulnerability

ED 21-03: Mitigate Pulse Connect Secure Product Vulnerabilities