Less than two weeks after addressing one vulnerability, Ivanti has revealed that a critical Cloud Services Appliance (CSA) flaw is currently being exploited in the wild as of Sept. 19.
The vulnerability (CVE-2024-8963, CVSS 9.4) is a path traversal issue in Ivanti CSA that enables remote, unauthenticated attackers to access restricted functionalities. Attackers have linked it to a previously disclosed flaw, CVE-2024-8190, a high-severity OS command injection vulnerability that can grant unauthorized access to devices. This chain can be exploited for remote code execution (RCE) if the attacker possesses admin-level privileges.
“When combined with CVE-2024-8190, an attacker can bypass admin authentication and execute arbitrary commands on the appliance,” the enterprise stated.
This revelation is part of a series of security challenges Ivanti has encountered since 2023.
Not First & Likely Not the Last
Throughout this year, Ivanti has been plagued by multiple vulnerabilities. In February, the Cybersecurity and Infrastructure Security Agency (CISA) instructed Ivanti VPN appliances to be disconnected, rebuilt, and reconfigured within 48 hours due to concerns over threat actors exploiting security flaws in the systems.
In April, foreign nation-state hackers targeted vulnerable Ivanti gateway devices and launched an attack on MITRE, ending its 15-year streak of incident-free operations. MITRE was not alone in this breach, as thousands of Ivanti VPN instances were compromised due to two unpatched zero-day vulnerabilities.
By August, Ivanti’s Virtual Traffic Manager (vTM) contained a critical vulnerability that could have resulted in authentication bypass and the creation of an administrator account without the necessary patch provided by the enterprise.
Greg Fitzgerald, co-founder of Sevco Security, highlighted that these known yet unpatched vulnerabilities have become prime targets for attackers due to their ease of exploitation and the unawareness of organizations running devices with end-of-life systems in their networks.
Protection in an Ongoing Storm
To combat this threat, Ivanti recommends upgrading Ivanti CSA 4.6 to CSA 5.0 or updating CSA 4.6 Patch 518 to Patch 519. However, since the product has reached its end of life, upgrading to CSA 5.0 is the preferred course of action.
Furthermore, Ivanti advises all customers to ensure dual-homed CSA configurations with eth0 as an internal network.
Customers should also check for any modified or newly added administrators in the CSA if there are suspicions of compromise. For users with endpoint detection and response (EDR) systems, reviewing alerts is recommended.
For assistance or inquiries, users can log a case or request a call through Ivanti’s Success Portal.