Ivanti Virtual Traffic Manager Susceptible to Major Vulnerability Allowing Unauthorized Administration Access

Aug 14, 2024Ravie LakshmananWeakness / Network Defense

Ivanti has launched security patches to address a severe flaw in Virtual Traffic Manager (vTM) that could be leveraged to bypass authentication mechanisms and establish rogue administrative a

Aug 14, 2024Ravie LakshmananWeakness / Network Defense

Critical Flaw in Ivanti Virtual Traffic Manager Could Allow Rogue Admin Access

Ivanti has launched security patches to address a severe flaw in Virtual Traffic Manager (vTM) that could be leveraged to bypass authentication mechanisms and establish rogue administrative accounts.

The vulnerability, identified as CVE-2024-7593, boasts a CVSS rating of 9.8 out of a possible 10.0.

“Utilizing an incorrect authentication algorithm in Ivanti vTM versions other than 22.2R1 or 22.7R2 enables a remote unauthenticated attacker to circumvent authentication processes for the admin dashboard,” mentioned the organization in a related announcement.

The impacted versions of vTM include:

22.2 (rectified in version 22.2R1)
22.3 (fixed in version 22.3R3, slated for availability during the week of August 19, 2024)
22.3R2 (resolved in version 22.3R3, slated for availability during the week of August 19, 2024)
22.5R1 (addressed in version 22.5R2, slated for availability during the week of August 19, 2024)
22.6R1 (rectified in version 22.6R2, slated for availability during the week of August 19, 2024)
22.7R1 (rectified in version 22.7R2)

As an interim measure, Ivanti is suggesting customers to restrict admin privileges to the management interface or limit access solely to trusted IP addresses.

Although there is no indication of the vulnerability being actively exploited, the presence of a publicly available proof-of-concept (PoC) underscores the critical need for users to promptly apply the latest updates.

In a separate development, Ivanti has also fixed two deficiencies in Neurons for ITSM that could lead to data exposure and unauthorized entry to devices by any user –

CVE-2024-7569 (CVSS score: 9.6) – A data exposure vulnerability in Ivanti ITSM on-prem and Neurons for ITSM versions 2023.4 and previous allows an unauthenticated attacker to acquire the OIDC client secret through debug data

CVE-2024-7570 (CVSS score: 8.3) – Inadequate certificate validation in Ivanti ITSM on-prem and Neurons for ITSM Versions 2023.4 and previous permits a remote attacker in a MITM situation to generate a token granting access to ITSM as any user

The flaws, affecting versions 2023.4, 2023.3, and 2023.2, have been corrected in versions 2023.4 w/ patch, 2023.3 w/ patch, and 2023.2 w/ patch, respectively.

Furthermore, the company has also addressed five high-severity vulnerabilities (CVE-2024-38652, CVE-2024-38653, CVE-2024-36136, CVE-2024-37399, and CVE-2024-37373) in Ivanti Avalanche that could be abused to trigger a denial-of-service (DoS) scenario or execute remote code. These have been addressed in version 6.4.4.

Came across this article intriguing? Keep up with us on Twitter and LinkedIn for more exclusive content.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts