Ivanti Alert: High Severity CSA Vulnerability Now Actively Exploited

September 13, 2024

Ivanti, a major IT management software company, issued a warning last Friday about a severe vulnerability in its Cloud Services Appliance (CSA) solution that is being actively exploited in attacks. The company stated in an update to its August advisory, "At the time of disclosure on September 10, we were not aware of any customers being exploited by this vulnerability. At the time of the September 13 update, exploitation of a limited number of customers has been confirmed following public disclosure."

The company further clarified that CSA configurations with ETH-0 as an internal network, as recommended by Ivanti, are at a significantly lower risk of exploitation. Ivanti has encouraged administrators to scrutinize the configuration settings and access privileges for any new or changed administrative users to detect exploitation attempts. It also suggested reviewing any alerts from EDR or other security software.

The security flaw, identified as CVE-2024-8190, enables remote authenticated attackers with administrative privileges to execute remote code on vulnerable appliances running Ivanti CSA 4.6 through command injection. Ivanti has recommended customers to upgrade from CSA 4.6.x, which has reached End-of-Life status, to CSA 5.0, which is still under support. The company added, "CSA 4.6 Patch 518 customers may also update to Patch 519. But as this product has entered End-of-Life, the preferred path is to upgrade to CSA 5.0. Customers already on CSA 5.0 do not need to take any further action."

Ivanti CSA is a security product designed to act as a gateway to provide external users with secure access to internal enterprise resources. On Friday, the Cybersecurity and Infrastructure Security Agency (CISA) added the CVE-2024-8190 Ivanti CSA vulnerability to its Known Exploited Vulnerabilities catalog. As per Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to secure vulnerable appliances within three weeks by October 4. CISA warned, "These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise."

Earlier this week, Ivanti addressed a maximum severity flaw in its Endpoint Management software (EPM) that allows unauthenticated attackers to execute remote code on the core server. On the same day, it also patched nearly two dozen other high and critical severity flaws in Ivanti EPM, Workspace Control (IWC), and Cloud Service Appliance (CSA). Ivanti stated that it had increased internal scanning and testing capabilities in recent months and is also working on improving its responsible disclosure process to address potential security issues more quickly. Ivanti, which has over 7,000 partners worldwide and its products are used by over 40,000 companies to manage their systems and IT assets, agreed with CISA's statement that the responsible discovery and disclosure of CVEs is 'a sign of healthy code analysis and testing community.'

Latest News

• Critical Security Flaw Found in GitLab Pipeline Execution: Immediate Updates Released
• Cybercriminals Target Selenium Grid Servers for Proxyjacking and Cryptomining
• Urgent Update Required: Adobe Patches Acrobat Reader Zero-Day Vulnerability
• Taiwanese Drone Makers Targeted by 'WordDrone' Attack Exploiting Old MS Word Flaw
• Ivanti Addresses Critical RCE Vulnerability in Endpoint Management Software