Security teams are currently addressing two distinct challenges affecting the network edge and supply chain trust. A new vulnerability in Ivanti Connect Secure and a production system incident at AnyDesk have introduced risks to enterprise perimeters. These developments demonstrate that remote access tools, while essential for operations, require rigorous configuration and monitoring to maintain organizational safety.
Ivanti Connect Secure: CVE-2024-21893
The situation regarding Ivanti gateways has evolved with the identification of CVE-2024-21893, a server-side request forgery (SSRF) vulnerability. This finding is significant because it permits threat actors to bypass the initial mitigations that many organizations implemented last month. Activity observed by researchers indicates that groups such as UNC5221 are actively adapting their methods to persist within target networks, suggesting a sustained effort to compromise corporate network edges.
Technically, this vulnerability exists within the SAML component of the Connect Secure and Policy Secure gateways. By targeting the SSRF flaw in the saml-server endpoint, unauthorized parties can access restricted resources without valid credentials. In certain configurations, this access circumvents traditional multi-factor authentication (MFA). Observed activity includes the deployment of "KrustyLoader," a Rust-based tool designed to drop additional malicious modules. This highlights a trend toward modular tools that operate in memory to evade legacy signature-based detection.
Recommended Actions for Ivanti: To secure these environments, we recommend moving beyond simple mitigations.
Factory Reset: Perform a full factory reset of the appliance before applying the latest patches. Current evidence indicates that the SSRF flaw allows for persistence that survives standard reboots.
Traffic Monitoring: Monitor for unusual outbound traffic from these appliances, specifically connections to unknown IP addresses or via non-standard ports. This remains a high-fidelity method for identifying unauthorized activity.
AnyDesk: Production System Incident
AnyDesk has confirmed a security incident affecting its production systems. While the company reports no evidence that end-user devices have been compromised, they have revoked all code-signing certificates and initiated a mandatory password reset for their web portal. These measures reflect a precaution to ensure the integrity of their environment.
The technical implications for defenders center on certificate management. AnyDesk is transitioning to a new certificate, with version 8.0.8 being the first to carry the updated signature. The primary risk involves the potential for unauthorized parties to possess older signing keys, which could theoretically allow them to sign binaries that the operating system views as legitimate. As AnyDesk revokes the affected certificates, security teams may face a secondary challenge: ensuring that legitimate, older versions of the software do not experience service interruptions or trigger blocks by Endpoint Detection and Response (EDR) solutions.
Recommended Actions for AnyDesk:
Update Immediately: Prioritize the deployment of version 8.0.8 or higher.
Audit Usage: Review the use of remote access tools across the environment. We recommend implementing strict application allow-listing to ensure AnyDesk runs only in authorized network segments.
Prepare for Alerts: Anticipate increased alerts from endpoint security tools as older versions lose their trusted status. Proactive communication with IT support teams will help manage potential disruptions to legitimate workflows.
Credential Rotation: Rotate any credentials used on the AnyDesk portal immediately. Security teams should operate under the assumption that these credentials may have been exposed.
Strengthening Edge Security
These events illustrate the challenges inherent in edge security. The reliance on specific gateway products means that a single vulnerability can impact numerous organizations. We anticipate continued research into the underlying components of these gateways, such as SAML parsers and web servers.
Strategically, these findings reinforce the value of a Zero Trust architecture. By ensuring that the compromise of a single edge device does not grant lateral movement capabilities, organizations can better protect their core assets. We work with teams to implement these architectural principles, reducing the reliance on perimeter defenses alone.