IT management solutions provider Ivanti confirmed that a high-severity flaw patched this week in an older version of its Cloud Service Appliance (CSA) has been exploited in attacks. The vulnerability was fixed as part of the company’s September security update, which also included patches for critical and high-severity flaws in other products.
“Following public disclosure, Ivanti has confirmed exploitation of this vulnerability in the wild,” the company wrote in its updated advisory. “At the time of this update, we are aware of a limited number of customers who have been exploited.”
The US Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability, tracked as CVE-2024-8190, to its Exploited Vulnerabilities Catalog (KEV) and noted that this type of flaw is a frequent attack vector for malicious cyber actors.
In January, after a series of attacks that exploited zero-day vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure, CISA took the unusual step of ordering all federal agencies to disconnect the impacted Ivanti products from their networks. After that incident Ivanti became one of the first vendors to sign CISA’s Secure by Design pledge and launched a review and overhaul of its security engineering and vulnerability management practices.
In February, attackers targeted a Ivanti XXE vulnerability in specific versions of Ivanti Connect Secure, Ivanti Policy Secure, and ZTA gateways days after it was patched. Later, security agencies from several nations warned that attackers were able to deceive integrity checking tools provided by Ivanti in response to those zero-days. In April, Ivanti announced plans to revamp core engineering and security operations to arm against frequent and evolved adversary activities in the wake of these issues.
Impacted CSA users urged to upgrade to version 5.0
The CVE-2024-8190 vulnerability patched on Sept. 10 is a command injection vulnerability that allows attackers to achieve arbitrary code execution on the underlying OS. The vulnerability requires administrative privileges to exploit, which means the attackers must either have obtained such credentials in some other way or brute-forced them because they were too weak. Because of this, the flaw is only rated high severity instead of critical, with a score of 7.2 out of 10 on the CVSS scale.
Another important aspect is that the vulnerability affects only CSA version 4.6, which reached end-of-life in August. The company released Patch 519 for version 4.6 to address this flaw but warns that this is the last security fix that will be backported to this CSA version and advises customers to upgrade to CSA 5.0 for continued support.
Critical flaws in Ivanti Endpoint Manager
The company’s September security update also included patches for 16 vulnerabilities in Ivanti Endpoint Manager, of which 10 are rated critical, two high, and four medium. The critical vulnerabilities allow for remote code execution but nine of them require authentication to exploit.
One vulnerability stands out — CVE-2024-29847 — because it allows unauthenticated remote code execution. This flaw is rated with the maximum score of 10 on the CVSS scale and stems from deserialization of untrusted data.
On Friday, researchers from security firm Horizon3.ai posted a detailed technical analysis of CVE-2024-29847 along with a proof-of-concept exploit. The researchers note that in their lab setting they had to open up a port for the AgentPortal service in the Windows firewall for the exploit to work. However, when they examined a few live installations of EPM in the field the researchers found they already had this port exposed for some reason.
Ivanti said they are not aware of any in-the-wild exploits for the patched EPM vulnerabilities, but since technical details and a PoC are now available for CVE-2024-29847, organizations should prioritize patching it.
Six high-severity vulnerabilities have also been fixed in Ivanti Workspace Control (IWC). The company advises customers to upgrade to IWC version 10.18.99.0, but this version uses a new product architecture that requires a new component called Shield API to be deployed.