Urgent Security Alert: Ivanti Discovers Zero-Day Vulnerabilities in Cloud Service Appliance
In a rapidly evolving digital landscape, cybersecurity remains a top priority for organizations worldwide. Recently, Ivanti, a prominent provider of IT asset management and security solutions, issued an urgent advisory regarding three newly discovered zero-day vulnerabilities in its Cloud Service Appliance (CSA). These vulnerabilities, tracked as CVE-2024-9379, CVE-2024-9380, and CVE-2024-9381, are currently under active exploitation, raising significant concerns for users of the affected systems.
What Happened?
In September 2024, Ivanti released patches for a critical Remote Code Execution (RCE) vulnerability, CVE-2024-8190, in the CSA. Shortly after this patch was deployed, it became evident that threat actors were exploiting this vulnerability in conjunction with another identified flaw, CVE-2024-8963, to bypass authentication and execute remote code. This alarming trend has continued, with the company now reporting that the newly discovered vulnerabilities are being chained with CVE-2024-8963 to target a limited number of customers.
Ivanti’s advisory highlights that while the new vulnerabilities (CVE-2024-9379 and CVE-2024-9380) have been confirmed in exploit chains, the advisory does not provide evidence of simultaneous exploitation of all three new vulnerabilities. This indicates a sophisticated approach by attackers, who are leveraging existing vulnerabilities to maximize their impact.
Details of New Ivanti CSA Zero-Day Vulnerabilities
The newly discovered vulnerabilities in Ivanti CSA were identified during investigations into previous exploits. Here’s a breakdown of each vulnerability:
CVE-2024-9379 (CVSS: 6.5)
This vulnerability is an SQL injection flaw located in the admin web console of Ivanti CSA. It allows authenticated attackers with admin privileges to execute arbitrary SQL commands, potentially compromising the integrity of the database.
CVE-2024-9380 (CVSS: 7.2)
CVE-2024-9380 is an OS command injection vulnerability that enables authenticated attackers to execute remote code on vulnerable systems. This flaw requires admin privileges, making it particularly dangerous in the hands of malicious actors.
CVE-2024-9381 (CVSS: 7.2)
The third vulnerability, CVE-2024-9381, is a path traversal flaw that allows remote attackers with admin privileges to bypass security restrictions. This could lead to unauthorized access to sensitive files and data.
While these vulnerabilities were discovered in CSA version 4.6, Ivanti confirmed their presence in version 5.0 as well, although there have been no reported exploitation attempts in the latter. The company has indicated that exploitation attempts have primarily targeted customers using CSA 4.6 patch 518 or earlier.
Which Ivanti CSA Versions Are Affected?
Ivanti has confirmed that the vulnerabilities affect CSA versions 5.0.1 and earlier, with a particular emphasis on version 4.6 patch 518 and below. Attackers appear to be chaining CVE-2024-8963 with either CVE-2024-9379 or CVE-2024-9380 in their attacks, rather than exploiting all vulnerabilities simultaneously. Notably, there is currently no evidence of exploitation in environments running CSA 5.0.
Immediate Action Required: Update to Version 5.0.2
In light of these vulnerabilities, Ivanti is urging all users to update their Cloud Service Appliance to version 5.0.2 immediately. This update is critical to protect against the identified vulnerabilities and mitigate the risks associated with potential exploitation. Users are also advised to monitor their systems for signs of compromise, such as unauthorized administrative accounts, and to utilize Endpoint Detection and Response (EDR) tools for enhanced security.
For detailed guidance, users can refer to Ivanti’s official security advisory here.
Additional Security Concerns: Critical RCE Vulnerability in Connect Secure and Policy Secure
In addition to the CSA vulnerabilities, Ivanti has also patched a critical Remote Code Execution vulnerability, CVE-2024-37404, affecting its Connect Secure and Policy Secure products. With a CVSS score of 9.1, this flaw poses a serious risk to users. The affected versions include all versions of Ivanti Connect Secure prior to 22.7R2.1 and Ivanti Policy Secure prior to 22.7R1.1.
Details and Proof of Concept for CVE-2024-37404
CVE-2024-37404 allows attackers with admin access to execute arbitrary code on vulnerable systems. The vulnerability arises from improper input validation in the admin portal during the Certificate Signing Request (CSR) process. Researchers have detailed a Proof-of-Concept (PoC) exploit that demonstrates how attackers can manipulate the OpenSSL configuration file, leading to full system compromise.
Mitigation Strategies
While Ivanti has stated that there is no known exploitation of CVE-2024-37404 at the time of disclosure, it is imperative for users to apply the updates immediately. For those unable to update right away, Ivanti recommends restricting admin access to the management interface and strengthening access controls with strong passwords and Multi-Factor Authentication (MFA).
For more information on CVE-2024-37404 and update guidance, refer to Ivanti’s advisory here.
Conclusion
The recent discoveries of zero-day vulnerabilities in Ivanti’s Cloud Service Appliance and the critical RCE flaw in Connect Secure and Policy Secure products underscore the urgent need for organizations to prioritize cybersecurity. With attackers continuously evolving their tactics, staying informed about the latest vulnerabilities and implementing timely updates is crucial to safeguarding sensitive data and maintaining operational integrity.
For organizations looking to enhance their security posture, SOCRadar offers real-time alerts and detailed analysis on vulnerabilities, helping to prioritize patches and mitigate risks effectively. By leveraging SOCRadar’s Vulnerability Intelligence and Attack Surface Management modules, organizations can gain valuable insights into their security landscape and proactively address potential threats.
In today’s fast-paced threat environment, vigilance and prompt action are key to staying one step ahead of cyber adversaries.