Ivanti patcht Endpoint Manager, Avalanche, VPN- und NAC-Software
Ivanti is patching numerous security vulnerabilities in various products, some of which are critical. IT managers should take action.
(Image: Bild erstellt mit KI in Bing Image Creator durch heise online / dmk)
Ivanti has released security updates for several products, some of which close critical security vulnerabilities. Administrators should act quickly and apply the updates.
The most serious are the security vulnerabilities in Ivanti 's VPN and NAC software , which the developers describe in a security release. They affect Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS) and Ivanti Secure Access Client (ISAC). A registered attacker from the network with admin access can smuggle arguments into requests and thus inject and execute malicious code (CVE-2024-38655, CVE-2024-38656, CVE-2024-39710, CVE-2024-39711, CVE-2024-39712; all CVSS 9.1, risk"critical"). They can also do this with commands smuggled into requests (CVE-2024-11007, CVE-2024-11006, CVE-2024-11005; all CVSS 9.1, critical). The products are affected by numerous other vulnerabilities classified as high risk.
Code-smuggling vulnerabilities also in Ivanti Endpoint Manager
Another security bulletin from Ivanti lists gaps in the Endpoint Manager. Attackers from the network can abuse an SQL injection vulnerability to inject malicious code without prior authentication (CVE-2024-50330, CVSS 9.8, critical). In addition, malicious actors from the network can attack a path traversal vulnerability without prior login, which also leads to the execution of code from the network. However, this requires user interaction, which pushes the risk rating just below critical (CVE-2024-50329, CVSS 8.8, high). The updated versions also close numerous other security vulnerabilities classified as high-risk.
Videos by heise
For the mobile device management software (MDM) Avalanche, Ivanti lists five vulnerabilities with a risk rating of high. If attackers successfully exploit the vulnerabilities, they can paralyze the service for legitimate users (denial of service) or gain unauthorized access to sensitive information. Ivanti Avalanche version 6.4.6 or newer, which is available in the download portal under the Wavelink domain, solves the problem.
Ivanti fixes the security-related bugs in the other products with the versions Ivanti Connect Secure (ICS) 22.7R2.3, Ivanti Policy Secure (IPS) 22.7R1.2 and Ivanti Secure Access Client (ISAC) 22.7R4. These are available for download from the Ivanti portal. The updated Endpoint Manager versions are available for download as patches, firstly the 2024 November Security Update and then the 2022 SU6 November Security Update.
At the beginning of October, Ivanti patched security leaks in the Cloud Service Appliance (CSA) that had already been attacked in the wild. There were also critical gaps in the VPN software Connect Secure. The provider's software is part of many cybercriminals' toolboxes. IT managers with Ivanti software should therefore quickly update it to the latest version to minimize the attack surface.
(dmk)
