Patch now! Attacks on Ivanti Cloud Service Appliance intensify
Attackers are currently combining two vulnerabilities to execute malicious code on Ivanti Cloud Services Appliances.
(Image: antb/Shutterstock.com)
If administrators manage the Internet access of devices via Ivanti's Cloud Services Appliance (CSA), they should quickly install the available security update due to ongoing attacks.
Vulnerability cocktail
Attacks on CSA have been ongoing since last week (CVE-2024-8190"high"). However, attackers must already be administrators in order to push malicious code onto systems and execute it. This is a not insignificant hurdle.
In the meantime, Ivanti has published an article warning of another vulnerability (CVE-2024-8963"critical"), which attackers can successfully exploit to bypass admin authentication. If malicious actors combine both vulnerabilities, this significantly simplifies attacks. As a result, remote attacks are now possible without authentication.
Ivanti again refers to attacks on a "limited" number of customers. They are not currently specifying how many these are or how attacks are carried out in detail.
Securing systems against attacks
To protect appliances against attacks, admins must install the patched CSA version 4.6 patch 519 or CSA 5.0. The developers point out that support for CSA 4.6 has expired and this is the last security update for this version. Admins should therefore upgrade to the 5 release as soon as possible.
In order to detect attacks that have already occurred, admins must keep an eye out for newly added or modified admin accounts. Further information can be found in the local broker log. They should also keep an eye out for alerts from endpoint detection and response (EDR) solutions.
Ivanti vows to do better in the future and wants to optimize internal processes, among other things, to increase the security of its own products.
(des)
