Critical CSA Vulnerability Exploited in Attacks: Ivanti Issues Warning

September 19, 2024

Ivanti, a leading IT software company, has alerted its users about a new threat where attackers are exploiting a critical Cloud Services Appliance (CSA) vulnerability, targeting a select group of customers. The security flaw, identified as CVE-2024-8963, is a path traversal vulnerability that allows remote unauthenticated attackers to gain access to restricted functions on vulnerable CSA systems. These systems are typically used as gateways to provide enterprise users with secure access to internal network resources.

The attackers are leveraging exploits that combine CVE-2024-8963 with another high-severity CSA command injection bug, CVE-2024-8190, which was fixed recently. This combination allows them to bypass admin authentication and execute arbitrary commands on unpatched appliances. Ivanti stated, "The vulnerability was discovered as we were investigating the exploitation that Ivanti disclosed on 13 September. As we were evaluating the root cause of this vulnerability, we discovered that the issue had been incidentally addressed with some of the functionality removal that had been included in patch 519."

Ivanti is urging administrators to closely monitor alerts from endpoint detection and response (EDR) or other security software and scrutinize configuration settings and access privileges for new or modified administrative users to detect any exploitation attempts. They are also recommended to ensure dual-homed CSA configurations with eth0 as an internal network to significantly lower the risk of exploitation.

If a compromise is suspected, Ivanti advises rebuilding the CSA with patch 519, released on September 10, 2024. The company is strongly urging users to upgrade to CSA 5.0, wherever possible, as Ivanti CSA 4.6 is now End-of-Life and will no longer receive patches for OS or third-party libraries. "If you suspect compromise, Ivanti's recommendation is that you rebuild your CSA with patch 519 (released 09/10/2024). We strongly recommend moving to CSA 5.0, where possible," Ivanti cautioned.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the Ivanti CSA vulnerabilities, CVE-2024-8190 and CVE-2024-8963, to its Known Exploited Vulnerabilities catalog. Federal Civilian Executive Branch (FCEB) agencies are now required to patch vulnerable appliances within three weeks by October 4 and October 10, respectively, as mandated by Binding Operational Directive (BOD) 22-01.

Ivanti has also stated that it has ramped up internal scanning and testing capabilities and is working on enhancing its responsible disclosure process to address potential security issues more swiftly. In the recent past, several Ivanti flaws were exploited as zero-days in widespread attacks targeting the company's VPN appliances and ICS, IPS, and ZTA gateways. Ivanti acknowledged, "This has caused a spike in discovery and disclosure, and we agree with CISA's statement that the responsible discovery and disclosure of CVEs is 'a sign of healthy code analysis and testing community.'"

Related News

• Urgent Call to Patch: Exploit Code for Critical Ivanti RCE Vulnerability Released
• Ivanti Alert: High Severity CSA Vulnerability Now Actively Exploited

Latest News

• GitLab Issues Security Updates for Critical SAML Authentication Bypass Vulnerability
• Zero-Click Vulnerabilities in macOS Calendar Risk iCloud Data Exposure
• Critical Remote Code Execution Vulnerability in VMware vCenter Server Patched by Broadcom
• Advanced Persistent Threat Group 'Void Banshee' Exploits Microsoft Zero-Day Vulnerabilities
• CISA Alerts on Windows Flaw Exploited by Void Banshee APT Group