web analytics

Zero-Day Vulnerability in Ivanti VPN – Source: www.schneier.com

Rate this post

Source: www.schneier.com – Author: Bruce Schneier

Comments

Aaron January 9, 2025 3:11 PM

What does it say about the current philosophies of the corporate cyber security industry when, willfully or not, we continue to consolidate software assets under the same shrinking umbrella of protection products that end up leaving a larger group of assets vulnerable when a vulnerability is discovered and published?

Homegrown, open source or small business software has fallen out of favor for plenty of reasonable reasons: cost, compatibility, vanishing vendor, etc. but has the tradeoff been worth it in the long run?

Willfully or not, we keep moving more and more eggs into fewer and fewer baskets and that creates problem people aren’t addressing. Did we already forget about CrowdStrike?

Clive Robinson January 9, 2025 7:18 PM

@ ALL,

Such failings are to be expected as almost a fact of life. The reasons are many and all to often two are,

1, Over complexity.
2, Over featured.

The first is oft the fault of developers with an overly developed “Code Reuse” not “security” mentality.

The second is oft the fault of marketing with an overly developed “must have feature” not “security” mentality.

But… It can also be easily –if incorrectly– argued that those who buy have no sense of “security” in their purchasing choices.

The reality is few have the required level of understanding and as such have better things to do with their time, rather than learn that which has near zero return on the investment in time, effort, and resources needed to gain the understanding.

The reality is even for supposed gurus the air in this are is as thin if not thinner than the rarefied atmosphere atop Mt Everest.

It’s interesting to ask people why they use a VPN. If you say is it for message content security or message traffic security, the answer is unlikely to be either.

Often the major use of VPN’s is about where you appear to be within the perceived geo-location. That is to get around some service filtering, the most obvious being “media licencing” evasion / management.

Thus the fact that the system has been hacked may actually not be as much of a concern to some as might be thought at first consideration. Because either the VPN sits entirely outside of their security perimeter, where the main threat for them is DoS that exists irrespective of the VPN. Or it sits entirely within their security perimeter, where another failing such as a perimeter device has to be exploited first.

As for the other systems effected then yes this for most is more serious. Especially if it can bridge the security perimeter.

Andy January 9, 2025 9:34 PM

This remote access product has had S0 many publicly disclosed and actively exploited vulnerabilities over the past 5 years. It’s not just that any device on the public internet that takes input from the wide world has a tough barrier to entry. It’s these guys specifically that are in another category above all of their competitors for number of novel exploits. A security product intended to be receiving inbound connections that acts as a gateway to the internal network should not be developed with the same amount of rigor as a smart light bulb. This product was purchased by Juniper maybe 15 years ago and it’s pretty close to the same OS and components since then. It’s like opening ports to a machine still running XP to the public internet on a box running in your flat network. Most companies I know have already ran away from using this product. Those who haven’t, and are trying to do well at security, are using it as a leg of their least privilege strategy. Giving it full access to the network to the device and counting on it to enforce user group-based ACLs. But when every year a CVE comes out that let’s you compromise the OS from the outside .. definition of Insanity. And this company’s failures will let more “Zero Trust” tools selling to ignorance propagate with yet another false sense of security. This vendor’s claims about marketshare are either outdated or dishonest.

Atom Feed Subscribe to comments on this entry

Leave a comment

All comments are now being held for moderation. For details, see this blog post.

Sidebar photo of Bruce Schneier by Joe MacInnis.

Original Post URL: https://www.schneier.com/blog/archives/2025/01/zero-day-vulnerability-in-ivanti-vpn.html

Category & Tags: Uncategorized,VPN,vulnerabilities,zero-day – Uncategorized,VPN,vulnerabilities,zero-day

Views: 0

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post