Utah-based IT software tester and developer Ivanti is under growing pressure to fix a host of bugs in its remote access products, as well as one in its IT service management solution (ITSM).
Ivanti CEO Jeff Abbott reportedly confirmed this week said his company “will completely revamp its security practices.”
The announcement came after it was disclosed that the vendor faced more bugs and vulnerabilities in its Ivanti Connect Secure and Policy Secure remote access products, according to various reports including Dark Reading.
So far, Ivanti confirmed around 10 critical flaws in its remote access products, and one in its ITSM platform.
Bugs
The latest bugs included overflow vulnerabilities in the IPSec component of Connect Secure and Policy Secure, both of which the company characterized as “high-severity risk” for customers.
One of the vulnerabilities, reportedly tracked as CVE-2024-21894, could give unauthenticated attackers a way to run arbitrary code on affected systems.
Another, classified as CVE-2024-22053, permits remote attackers to crack the contents from system memory.
The severity and sheer number of bugs have caused concern among Ivanti’s 40,000 customers around the world, many within the financial services space.
“We are taking a very close look at our own posture and processes.”
– Jeff Abbott
Abbott wrote in an open letter to the company’s customers that Ivanti plans to introduce a series of changes in the coming months that should transform its security operating model.
“Events in recent months have been humbling, and I want you to hear directly from me about the actions we are taking to ensure we emerge stronger,” he stated.
“We and many others in our industry have witnessed, firsthand, the increasing complexity of the threat landscape and the specific evolution of threat-actor tactics,” Abbott shared with his customers.
“This activity has brought one of our products to the forefront of conversation regarding recently reported security incidents,” he continued.
Abbott stressed that “we will use this opportunity to begin a new era at Ivanti. We have challenged ourselves to look critically at every phase of our processes, and every product.”
Moreover, Abbott said his team is executing a plan that accelerates security initiatives already underway and implement improved practices to anticipate, prevent and protect against future threats.
“We have engaged the industry’s most recognised security and product development experts to support the Ivanti team’s review.”
Measures
Among the measures are a complete overhaul of Ivanti’s engineering, vulnerability and security management approach, as well as the implementation of a new secure-by-design initiative for product development.
“We have already begun applying learning from recent incidents to make immediate improvements to our own engineering and security practices,” Abbott added.
Some of the other steps Ivanti is taking include embedding security into every stage of the software test development life cycle and integrating new isolation and anti-exploit features in its products to minimise the potential impact of software vulnerabilities.
The firm also plans to review and upgrade its internal vulnerability discovery and management process and increase incentives for third-party bug hunters, Abbott stressed.
Moreover, he said more resources will be made available to Ivanti’s customers to help them find vulnerable data quicker and to improve transparency and information sharing.
Too little, too late?
Following the developments in recent weeks, security researcher and IANS Research faculty member Jake Williams told Dark Reading that the vulnerability disclosures prompted serious questions from Ivanti’s customers.
“Based on conversations I’m having, especially with Fortune 500 clients, I honestly think it’s a bit of too little, too late,” he reportedly said.
“The time to publicly make this commitment was more than a month ago,” Williams stated.
“There is no question that the issues with the Ivanti VPN appliance [formerly Pulse] are making CISOs question the security of Ivanti’s many other products,” he noted.
Stay up to date and receive our news, features and interviews for free
Our e-newsletter lands in your inbox every Friday. Sign up HERE in one simple step.
THIS WEEK IN TORONTO
ALSO READ
