In response to widespread and active exploitation of vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure solutions, the Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 24-01. CISA's directive mandates immediate action by Federal Civilian Executive Branch (FCEB) agencies to mitigate the risks posed by these vulnerabilities.

The vulnerabilities, identified as CVE-2023-46805 and CVE-2024-21887, allow threat actors to exploit the affected products and gain unauthorized access to restricted resources, perform data exfiltration, and establish persistent system access. These actions can lead to a complete compromise of target information systems.

Ivanti, the provider of the affected products, released temporary mitigation measures in the form of an XML file that agencies must download and import into their systems until a permanent update becomes available.

Under the Emergency Directive, agencies running Ivanti Connect Secure or Ivanti Policy Secure solutions are required to take several immediate steps. First, they must download and import the provided XML file, "mitigation.release.20240107.1.xml," via Ivanti's download portal, into the affected products. It is crucial to follow Ivanti's guidelines to ensure the correct import and prevent service disruptions.

After importing the XML file, agencies must also download and run Ivanti's External Integrity Checker Tool. This tool will reboot the affected products and check for any indications of compromise. If compromise indicators are detected, agencies must report them to CISA immediately at central@cisa.dhs.gov.

In the case of compromised products, agencies should remove them from their networks and initiate incident analysis. It is essential to preserve data from the compromised devices by creating forensic hard drive images while hunting for further indications of compromise.

To bring a compromised product back into service, agencies must reset the affected Ivanti solution software to factory default settings. Then, they must download and import the same XML file mentioned earlier. Following Ivanti's instructions is crucial to ensure a correct import and avoid service disruptions.

Agencies must also apply future updates that address the vulnerabilities referenced in the directive as they become available. These updates should be implemented within 48 hours of their release by Ivanti.

Within one week of the issuance of the directive, agencies must report a comprehensive inventory of all instances of Ivanti Connect Secure and Ivanti Policy Secure products on their networks to CISA, using a provided template. This report should include details on the actions taken and their results.

The Emergency Directive applies to agency assets in any federal information system, including those used or operated by third-party entities on behalf of agencies. Agencies are responsible for maintaining an inventory of their information systems hosted in third-party environments and ensuring compliance with the directive's requirements.

CISA will provide technical assistance to agencies lacking internal capabilities to comply with the directive. They will continue monitoring and identifying instances and potential compromises associated with these vulnerabilities and provide further guidance when necessary.

The Emergency Directive will remain in effect until CISA determines that all agencies using the affected software have completed the required actions or until it is terminated through appropriate measures.

For general information, assistance, and reporting, agencies may contact CyberDirectives@cisa.dhs.gov. To report any indications of compromise, they should use central@cisa.dhs.gov.

In conclusion, the Emergency Directive issued by CISA emphasizes the critical nature of the vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure. Immediate action by FCEB agencies is necessary to mitigate the risks and protect against potential compromises of information systems.