Ivanti: Three CSA Zero-Days Are Being Exploited in Attacks


Customers of Ivanti’s Cloud Services Appliance (CSA) have been urged to update their product immediately after the vendor released details of three zero-day vulnerabilities that are being exploited in the wild.

The security vendor claimed to have observed “limited exploitation” of CVE-2024-9379, CVE-2024-9380 and CVE-2024-9381 when chained individually with CVE-2024-8963 – another zero-day in CSA published in September.

This could lead to unauthenticated remote code execution (RCE) when the customer is running CSA 4.6, Ivanti said.

“Please note, CSA 4.6 is end-of-life and the last security fix for this version was released on September 10. Additionally, it is important for customers to know that we have not observed exploitation of these vulnerabilities in any version of CSA 5.0,” it continued.

“It is important for customers to know, CVE-2024-8963 was incidentally addressed in previous versions of CSA 5.0 with the removal of unnecessary code. The vulnerabilities disclosed below were discovered during our investigation into the exploitation of CVE-2024-8963 and CVE-2024-8190 in CSA 4.6 and found to be present, although not exploited, in CSA 5.0.”

Read more on Ivanti zero-day flaws: Ivanti Releases Zero-Day Patches and Reveals Two New Bugs

When exploited individually, the three new zero-day vulnerabilities published yesterday could enable an attacker with admin privileges to bypass restrictions, run arbitrary SQL statements or achieve RCE, Ivanti said.

CVE-2024-9379 is a medium-severity SQL injection flaw in the admin web console of Ivanti CSA affecting versions prior to 5.0.2, which allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.

CVE-2024-9380 is a high-severity OS command injection vulnerability, also present in the admin web console of CSA in versions prior to 5.0.2, which allows a remote authenticated attacker with admin privileges to achieve RCE.

CVE-2024-9381 is a high-severity path traversal flaw in CSA impacting the same versions, which allows a remote authenticated attacker with admin privileges to bypass restrictions.

Customers running CSA 5.0.1 and earlier versions are urged to upgrade to 5.0.2.

Ivanti has become a popular target for attack over the past year, after a spate of zero-day vulnerability disclosures linked to state-sponsored attacks. The firm is currently working through a secure-by-design initiative intended to bolster product security and accelerate patching.

Yesterday it also announced fixes for CVEs in Ivanti Endpoint Manager Mobile (EPMM), Ivanti Velocity License Server, Ivanti Connect Secure and Policy Secure, and Ivanti Avalanche.



Source link