Ivanti plugs exploited security vulnerabilities and more
Ivanti updates several software packages. These include CSA, which is already under attack, and Connect Secure with critical leaks.
(Image: Bild erstellt mit KI in Bing Image Creator durch heise online / dmk)
Ivanti again warns of vulnerabilities in the Cloud Services Appliance (CSA). Criminals are using an older vulnerability in combination with new vulnerabilities to compromise CSA systems. Ivanti is also closing vulnerabilities in several other products, some of which are classified as critical risks.
A blog post from Ivanti summarizes the October updates. According to this, malicious actors are attacking vulnerabilities in Ivanti's CSA 4.6, which received its last security updates in September and has reached end-of-life. These are a command injection vulnerability (CVE-2024-9380, CVSS 7.2, risk"high"), a path traversal vulnerability (CVE-2024-9381, CVSS 7.2, high) and finally an SQL injection vulnerability (CVE-2024-9379, CVSS 6.5, medium), which is being used by criminals in combination with the old vulnerability CVE-2024-8963 (risk"critical") for the attacks.
Ivanti: Install updates quickly
Although the vulnerabilities can be found in CSA version 5.0.1, attacks have so far only been observed on CSA version 4.6, which is no longer supported. According to the security release, CSA 5.0.2 closes the gaps.
Videos by heise
A critical vulnerability can be found in the VPN and network access control software Ivanti Connect Secure and Policy Secure. Logged-in users can remotely inject and execute code (CVE-2024-37404, CVSS 9.1, critical). The versions Ivanti Policy Secure 22.7R1.1 and Ivanti Connect Secure 9.1R18.9 (released on October 15), 22.7R2.1 and 22.7R2.2 iron out the bugs.
In Ivanti Endpoint Manager Mobile (EPMM), authenticated attackers can access and modify configuration files (CVE-2024-7612, CVSS 8.8, high). Ivanti Avalanche 6.4.5 plugs several leaks with a high risk rating that allow attackers to bypass authentication, perform denial of service attacks and gain unauthorized access to information. Malicious actors can also escalate privileges in Ivanti's Velocity License Server (CVE-2024-9167, CVSS 7.0, high). The affected and corrected versions can be found in more detail in the security bulletins.
As the security vulnerabilities can have serious consequences and some are already under attack, IT managers should take immediate action and update the software. Unfortunately, Ivanti does not describe how successful attacks can be detected and countermeasures taken.
In recent weeks, Ivanti has had to patch several vulnerabilities, particularly in the Cloud Service Appliance. After attacks on the CVE-2024-8190 gap, which required admin rights as a hurdle, had already been underway since mid-September, the critical leak CVE-2024-8963 was added the following week. This allows attacks from the network without authentication – which promptly took place.
(dmk)
