Ivanti Warns of Three More CSA Zero-Days Exploited in Attacks
Summary:
Ivanti, a prominent U.S.-based IT software company, has issued critical security updates to fix three newly discovered zero-day vulnerabilities in its Cloud Services Appliance (CSA), which are being actively exploited in ongoing attacks. These vulnerabilities, identified as CVE-2024-9379, CVE-2024-9380, and CVE-2024-9381, are particularly dangerous as they are being chained with another zero-day vulnerability, CVE-2024-8963, that was patched in September. These vulnerabilities enable attackers to remotely execute SQL injection, perform command injection, and bypass security controls through a path traversal weakness, compromising CSA gateways that are used by enterprises to secure access to internal network resources.
Security Officer Comments:
Ivanti emphasized that there has been no evidence of exploitation in any version of CSA 5.0, reassuring customers who have already upgraded. However, given the urgency of the situation, the company is focusing heavily on improving its security response processes. Ivanti acknowledged that this is not the first time their software has been targeted in active exploitation campaigns. Last month, threat actors leveraged an admin bypass vulnerability (CVE-2024-8963) alongside a command injection flaw (CVE-2024-8190) to bypass authentication and execute arbitrary commands on unpatched CSA appliances. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) subsequently added these vulnerabilities to its Known Exploited Vulnerabilities catalog and mandated that federal agencies secure their vulnerable systems by October 10, 2024.
Suggested Corrections:
According to Ivanti, the vulnerabilities impact CSA versions 5.0.1 and earlier. Specifically, customers running CSA 4.6 patch 518 or prior have already been targeted by attackers chaining these new vulnerabilities with the previously patched CVE-2024-8963. The company strongly urges customers who are still running older versions of CSA to immediately upgrade to CSA 5.0.2, which addresses these flaws. To identify exploitation attempts, administrators are advised to review alerts from Endpoint Detection and Response tools or other security monitoring systems. Specific signs of compromise include the creation of new or modified admin users, indicating unauthorized access. Ivanti further advises that CSA 4.6 has reached its end-of-life, with the final security patch issued in September, and customers using this version must upgrade to the latest CSA 5.0.2 version to ensure security.
Link(s):
https://www.ivanti.com/blog/october-2024-security-update
Ivanti, a prominent U.S.-based IT software company, has issued critical security updates to fix three newly discovered zero-day vulnerabilities in its Cloud Services Appliance (CSA), which are being actively exploited in ongoing attacks. These vulnerabilities, identified as CVE-2024-9379, CVE-2024-9380, and CVE-2024-9381, are particularly dangerous as they are being chained with another zero-day vulnerability, CVE-2024-8963, that was patched in September. These vulnerabilities enable attackers to remotely execute SQL injection, perform command injection, and bypass security controls through a path traversal weakness, compromising CSA gateways that are used by enterprises to secure access to internal network resources.
Security Officer Comments:
Ivanti emphasized that there has been no evidence of exploitation in any version of CSA 5.0, reassuring customers who have already upgraded. However, given the urgency of the situation, the company is focusing heavily on improving its security response processes. Ivanti acknowledged that this is not the first time their software has been targeted in active exploitation campaigns. Last month, threat actors leveraged an admin bypass vulnerability (CVE-2024-8963) alongside a command injection flaw (CVE-2024-8190) to bypass authentication and execute arbitrary commands on unpatched CSA appliances. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) subsequently added these vulnerabilities to its Known Exploited Vulnerabilities catalog and mandated that federal agencies secure their vulnerable systems by October 10, 2024.
Suggested Corrections:
According to Ivanti, the vulnerabilities impact CSA versions 5.0.1 and earlier. Specifically, customers running CSA 4.6 patch 518 or prior have already been targeted by attackers chaining these new vulnerabilities with the previously patched CVE-2024-8963. The company strongly urges customers who are still running older versions of CSA to immediately upgrade to CSA 5.0.2, which addresses these flaws. To identify exploitation attempts, administrators are advised to review alerts from Endpoint Detection and Response tools or other security monitoring systems. Specific signs of compromise include the creation of new or modified admin users, indicating unauthorized access. Ivanti further advises that CSA 4.6 has reached its end-of-life, with the final security patch issued in September, and customers using this version must upgrade to the latest CSA 5.0.2 version to ensure security.
Link(s):
https://www.ivanti.com/blog/october-2024-security-update