Ivanti patches numerous products
Ivanti has released updates for several products. The software patches close security gaps, some of which are critical.
(Image: Erstellt mit KI in Bing Designer durch heise online / dmk)
Ivanti has released security updates for several products. Some of the vulnerabilities that have been closed pose a critical risk. Admins should therefore apply the available updates quickly.
Ivanti's Cloud Services Application (CSA) has been hit the hardest. Attackers from the network can bypass authentication on the admin web console without prior login and thus gain administrative access (CVE-2024-11639, CVSS 10.0, risk"critical"). Logged-in users from the network can also inject arbitrary code due to a command injection vulnerability (CVE-2024-11772, CVSS 9.1, critical) or execute arbitrary SQL commands due to an SQL injection vulnerability (CVE-2024-11773, CVSS 9.1, critical). Ivanti CSA 5.0.3 corrects these errors.
Further critical vulnerabilities in Ivanti software
There are also critical security gaps in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS). Logged-in users from the network can inject arguments into ICS and subsequently inject arbitrary code (CVE-2024-11633, CVSS 9.1, critical) or reach it due to a command injection vulnerability (CVE-2024-11634, CVSS 9.1, critical). The updates to ICS 22.7R2.4 and IPS 22.7R1.2 close these and three other vulnerabilities classified as high-risk. Some of the version branches 9.1Rx are also affected by the vulnerabilities –, but Ivanti is not providing any patches for these, as support for them will expire on December 31.
Videos by heise
A vulnerability in Ivanti Sentry only narrowly misses the risk classification "critical". Due to insecure rights assignment, local authenticated users can modify "sensitive app components" (CVE-2024-8540, CVSS 8.8, high). Versions 10.1.0, 10.0.2 and 9.20.2 fix the security-relevant bugs. Furthermore, Ivanti Desktop and Server Management (DSM) 2024.3.5740 fixes a vulnerability that allows attackers to delete arbitrary files (CVE-2024-7572, CVSS 7.1, high). A similar vulnerability in the Ivanti Patch SDK (CVE-2024-10256, CVSS 7.1, high) is patched in the versions
- Ivanti Endpoint Manager (EPM) 2024 November Update and 2022 SU6 November Security Update,
- Ivanti Security Controls (iSec) 2024.4 (9.6.9375.0),
- Ivanti Patch for Configuration Manager 2024.4 (2.5.1129.0),
- Ivanti Neurons for Patch Management 2024.4 (1.1.67.0) and finally
- Ivanti Neurons Agent Platform 2024.4 (9.6.839)
or newer versions in each case.
The authors write about all vulnerability notifications that, according to current knowledge, the gaps have not yet been abused in the wild. The individual, newly published security advisories from Ivanti:
- Security Advisory Ivanti Cloud Services Application (CSA), max. CVSS 10.0, critical
- December 2024 Security Advisory Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS), max. CVSS 9.1, critical
- Security Advisory Ivanti Sentry, CVSS 8.8, high
- Security Advisory Ivanti Desktop and Server Management (DSM), CVSS 7.1, high
- Security Advisory Ivanti Patch SDK, CVSS 7.1, high
(dmk)
