Utah-based IT software firm Ivanti Cloud, established in January 2017 through the merger of HEAT Software and LANDESK, has garnered heightened attention due to a number of notable security breaches linked to the VPN hardware it provides. This month, Ivanti Cloud has once again captured media attention.
September 10, 2024 Update: Ivanti Cloud Addresses Critical Vulnerabilities in Endpoint Manager
According to the September 2024 security update published on their website on September 10, Ivanti Cloud has enhanced its internal scanning, manual exploitation, and testing capabilities in recent months while also refining its responsible disclosure process to ensure the timely identification and resolution of potential issues.
This has led to an increase in both discovery and disclosure, and they concur with CICISA’s assertion that the responsible identification and reporting of CVEs reflect a robust code analysis and testing community. Ivanti is committing significant resources to Secure by Design throughout our organization and officially endorsed the CISA Secure by Design pledge in May.
Patches have been issued for Endpoint Manager versions 2024 and 2022 SU5, addressing a total of 16 vulnerabilities, including ten classified as critical severity, which could enable attackers to execute arbitrary code remotely. The most vital of these vulnerabilities are identified as CVE-2024-29847, which has a CVSS score of 10.
This issue pertains to the deserialization of untrusted data, which can be exploited without the need for authentication and lead to remote code execution (RCE). The other nine critical RCE vulnerabilities are characterized as SQL injection flaws that can be exploited by attackers who have logged in with administrative privileges.
These vulnerabilities were remedied with the release of the September update for Endpoint Manager 2024 and 2022 SU6, which also addressed two high-severity and four medium-severity issues. On September 10, Ivanti Cloud announced the release of patches for a high-severity vulnerability in the Cloud Service Appliance. This vulnerability, tracked as CVE-2024-8190, is described as an OS command injection flaw that could permit an authenticated attacker with administrative privileges to achieve RCE.
The software vendor has resolved this issue with Cloud Services Appliance 4.6 patch 519, indicating that version 4.6 of the appliance has reached its end of life and that this will be the final fix provided for it. Customers are encouraged to upgrade to Cloud Services Appliance 5.0, the currently supported version, which does not contain this vulnerability.
September 13, 2024 Update: The First Exploitation
The exploitation of the Ivanti Cloud Service Appliance (CSA) vulnerability, identified as CVE-2024-8190, began in the wild merely days following the vendor’s announcement regarding the release of patches!
Ivanti Cloud issued an updated advisory on Friday, September 13, alerting customers to the commencement of exploitation related to CVE-2024-8190.
“F”llowing the public disclosure, Ivanti Cloud has verified that this vulnerability is being actively exploited in the wild,” “he company stated. “A” of this update, we are aware of a limited number of customers who have experienced exploitation.” “he Cybersecurity and Infrastructure Security Agency (CISA) has included CVE-2024-8190 in its Known Exploited Vulnerabilities (KEV) catalog.
Currently, there appears to be no publicly available information regarding the specific nature of the attacks leveraging this CSA vulnerability. However, given that the exploitation of CVE-2024-8190 necessitates administrative privileges, it is probable that this security weakness is being exploited in conjunction with another vulnerability or against inadequately secured devices.
September 19, 2024 Update: The Second Exploitation
On September 19, Ivanti released a new advisory to notify customers about a recently identified vulnerability, designated as CVE-2024-8963, which was inadvertently addressed in the patches issued on September 10. This vulnerability has reportedly been exploited in various attacks.
Ivanti stated, “I” CVE-2024-8963 is utilized in conjunction with CVE-2024-8190, an attacker can circumvent admin authentication and execute arbitrary commands on the appliance.” “he company acknowledged that a limited number of customers have fallen victim to this vulnerability.
Furthermore, when Ivanti Cloud disclosed the exploitation of CVE-2024-8190 in the wild, it indicated that this flaw is likely being exploited in combination with another vulnerability, as its exploitation necessitates admin privileges.
September 25, 2024 Update: The Third Exploitation
A vulnerability in Ivanti’sirtual Traffic Manager application delivery controller is currently being exploited in real-world scenarios. This marks the third security issue for which Ivanti Cloud customers have been alerted in the last two weeks.
The most recent vulnerability identified is CVE-2024-7593, a critical flaw in the Virtual Traffic Manager (vTM) that permits a remote, unauthenticated attacker to establish an administrator account through an authentication bypass.
On August 12, Ivanti released patches for CVE-2024-7593 and subsequently updated its advisory to inform customers that, although there had been no known exploitation in the wild, a proof-of-concept (PoC) exploit had been published.
While there are currently no public reports detailing attacks utilizing CVE-2024-7593, the Cybersecurity and Infrastructure Security Agency (CISA) included this vulnerability in its Known Exploited Vulnerabilities (KEV) Catalog on Tuesday. Ivanti Cloud has not only provided fixes but also offered guidance on mitigating exploitability and shared indicators of compromise (IoCs).
However, the advisory has not yet been revised to address the potential for malicious exploitation. Censys has identified 97 instances of Ivanti vTM exposed to the internet, while ZoomEye has reported 164 such instances this year, predominantly located in the United States and Japan.
CVE-2024-7593 was added to CICISA’sEV list shortly after CVE-2024-8963 and CVE-2024-8190, which affect IvIvanti’sloud Services Appliance (CSA) and have been linked to unauthenticated remote code execution.
It is not unusual for threat actors to take advantage of vulnerabilities in Ivanti products. Currently, CICISA’sEV list includes 20 entries related to Ivanti Cloud vulnerabilities, some of which have been exploited to deploy backdoors, while others have targeted prominent organizations such as MITRE and CISA.
References
https://www.ivanti.com/blog/topics/security-advisory
https://www.cyber.gc.ca/en/alerts-advisories/ivanti-security-advisory-av24-509
https://www.securityweek.com/third-recent-ivanti-product-vulnerability-exploited-in-the-wild
https://www.securityweek.com/ivanti-warns-of-second-csa-vulnerability-exploited-in-attacks
https://www.securityweek.com/ivanti-csa-vulnerability-exploited-in-attacks-days-after-disclosure
https://www.securityweek.com/ivanti-patches-critical-vulnerabilities-in-endpoint-manager
