Ivanti has issued a caution regarding three fresh security vulnerabilities affecting its Cloud Service Appliance (CSA) that are presently being actively exploited.
The critical vulnerabilities are currently being used in combination with another weakness in CSA that was resolved by the company in the previous month, as stated by the software services provider based in Utah.
If successfully manipulated, these vulnerabilities could enable an authorized individual with administrative privileges to evade restrictions, execute random SQL statements, or achieve remote code execution.
“We have received reports of a few customers using CSA 4.6 patch 518 and earlier versions who fell victim when CVE-2024-9379, CVE-2024-9380 or CVE-2024-9381 were linked with CVE-2024-8963,” the company stated.
There is no proof of exploitation against users running CSA 5.0. A brief overview of the three weaknesses is as follows –
- CVE-2024-9379 (CVSS score: 6.5) – A situation where a remote authorized attacker with administrative rights can execute arbitrary SQL statements occurs due to SQL injection in the admin web console of Ivanti CSA before version 5.0.2
- CVE-2024-9380 (CVSS score: 7.2) – A case where a remote authorized attacker with administrative privileges can achieve remote code execution occurs due to an operating system (OS) command injection vulnerability in the admin web console of Ivanti CSA before version 5.0.2
- CVE-2024-9381 (CVSS score: 7.2) – A situation where a remote authorized attacker with administrative privileges can bypass restrictions takes place due to path traversal in Ivanti CSA before version 5.0.2
The attacks witnessed by Ivanti involve merging the aforementioned weaknesses with CVE-2024-8963 (CVSS score: 9.4), a critical path traversal vulnerability that permits a remote unauthorized attacker to reach confined functionalities.
Ivanti revealed that it identified the three fresh weaknesses while examining the exploitation of CVE-2024-8963 and CVE-2024-8190 (CVSS score: 7.2), another now-fixed OS command injection defect in CSA that has also been misused.
In addition to upgrading to the most recent version (5.0.2), the company is advising users to inspect the appliance for altered or recently added administrative users to detect any compromises, or to monitor alerts from endpoint detection and response (EDR) tools installed on the device.
This development occurred within a week of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) announcing the addition of a security vulnerability affecting Ivanti Endpoint Manager (EPM) that was fixed in May (CVE-2024-29824, CVSS score: 9.6) to the Known Exploited Vulnerabilities (KEV) catalog.
About Author
