Merge branch '2024-00001' of github.com:DIVD-NL/web-csirt into 2024-0…

…0001
DIVD-NL · Jan 10, 2024 · b585655 · b585655
2 parents d9f1187 + 346a216
commit b585655
Showing 1 changed file with 5 additions and 4 deletions.
diff --git a/_cases/2024/DIVD-2024-00001.md b/_cases/2024/DIVD-2024-00001.md
@@ -23,7 +23,7 @@ versions:
 recommendation: "While the patch is under development, apply Ivanti’s mitigation, or take the appliance offline."
 patch_status: Under development
 workaround: Import the mitigation file mitigation.release.20240107.1.xml provided by Ivanti in the download portal or take the device offline.
-status : Case opened
+status : open
 start: 2024-01-10
 end: 
 timeline:
@@ -33,6 +33,9 @@ timeline:
 - start: 2024-01-10
   end:
   event: “Advisory published, DIVD starts scanning for vulnerable instances."
+- start: 2024-01-10
+  end:
+  event: “Case opened, first version of this casefile."
 #ips: 
 # ips is used for statistics after the case is closed. If it is not applicable, you can set IPs to n/a (e.g. stolen credentials)
 # This field becomes mandatory when the case status is set to 'Closed'
@@ -42,9 +45,7 @@ timeline:
 An authentication bypass and a command injection vulnerability were discovered in Ivanti Connect Secure and Ivanti Policy Secure, it is present in all supported versions. Multiple sources report active exploitation by threat actors, making immediate mitigation necessary. By combining these two vulnerabilities, threat actors are able to take complete control of the underlying system. Ivanti does not yet have a patch, which is expected to be released in the week of January 22nd. In the meantime, a mitigation is provided that can be downloaded in the Ivanti download portal. 
 
 ## What you can do
-Given that theere is active exploitation, it is crucial the provided mitigation is applied as soon as possible or that the appliance is take offline until mitigations are avilable. It is also recommended to check the appliance for sings of previous exploitation.
-The mitigation can be applied by downloading and importing mitigation.release.20240107.1.xml from the Ivanti download portal. Additionally, Volexity (see references) provided detection rules to monitor for exploitation.
-The patch is expected to be released in the week of January 22nd.
+Given that there is active exploitation, it is crucial the provided mitigation is applied as soon as possible or that the appliance is take offline until mitigations are available. It is also recommended to check the appliance for signs of previous exploitation. The mitigation can be applied by downloading and importing mitigation.release.20240107.1.xml from the Ivanti download portal. Additionally, Volexity (see references) provided detection rules to monitor for exploitation. The patch is expected to be released in the week of January 22nd.
 
 ## What we are doing
 DIVD is currently working to identify vulnerable instances and notify the owners of these systems. We do this by scanning for exposed Ivanti Connect Secure and Policy Secure instances, and checking the version number to determine whether the vulnerability is present. Owners of vulnerable instances receive a notification with the host information and mitigation steps.