CVE-2024-37401
📋 TL;DR
An out-of-bounds read vulnerability in the IPsec implementation of Ivanti Connect Secure allows remote unauthenticated attackers to cause denial of service by crashing the service. This affects all Ivanti Connect Secure (formerly Pulse Connect Secure) installations before version 22.7R2.1.
💻 Affected Systems
- Ivanti Connect Secure
- Ivanti Policy Secure
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption of the VPN gateway, preventing all remote access and potentially requiring physical console access to restore service.
Likely Case
Temporary denial of service affecting VPN connectivity until service restart or system reboot.
If Mitigated
No impact if patched or if IPsec is disabled in configurations.
🎯 Exploit Status
Remote unauthenticated exploitation with low complexity makes this attractive for attackers. No public exploit code known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 22.7R2.1 or later
Vendor Advisory: https://forums.ivanti.com/s/article/December-2024-Security-Advisory-Ivanti-Connect-Secure-ICS-and-Ivanti-Policy-Secure-IPS-Multiple-CVEs
Restart Required: Yes
Instructions:
1. Download patch from Ivanti support portal. 2. Backup current configuration. 3. Apply patch via admin interface. 4. Reboot system. 5. Verify version shows 22.7R2.1 or higher.
🔧 Temporary Workarounds
Disable IPsec
allTemporarily disable IPsec functionality if not required for operations.
Navigate to System > Configuration > VPN > IPsec and disable
🧯 If You Can't Patch
- Implement network segmentation to restrict access to VPN services
- Deploy IPS/IDS rules to detect and block IPsec-related anomalies
🔍 How to Verify
Check if Vulnerable:
Check system version in admin interface under System > Maintenance > System InformationCheck Version:
ssh admin@vpn-host show versionVerify Fix Applied:
Verify version is 22.7R2.1 or higher and test IPsec connectivity📡 Detection & Monitoring
Log Indicators:
- IPsec service crashes
- Unexpected process termination
- High volume of malformed IPsec packets
Network Indicators:
- Spike in IPsec protocol traffic followed by service unavailability
- Connection resets on UDP port 500/4500
SIEM Query:
source="ivanti-vpn" AND (event_type="crash" OR message="ipsec" OR severity="critical")