Summary:
Yesterday, Ivanti released a security advisory regarding a new maximum-severity authentication bypass flaw in Ivanti’s Cloud Services Appliance (CSA) solution. The critical vulnerability is tracked as CVE-2024-11639 and was reported to Ivanti by CrowdStrike’s advanced research team. This flaw enables remote attackers to gain administrative privileges on vulnerable appliances running Ivanti CSA 5.0.2 or earlier without requiring authentication or user interaction by circumventing authentication using an alternate path or channel. Ivanti has not observed any customers being attacked utilizing this vulnerability as of December 10, 2024, so currently there are no indicators of compromise.

Security Officer Comments:
CVE-2024-11639 is the sixth CSA security vulnerability that Ivanti patched in recent months. Although Ivanti has not observed active exploitation of CVE-2024-11639 in the wild, some of the other recently patched Ivanti flaws (CVE-2024-8190 (remote code execution), CVE-2024-8963 (admin authentication bypass)) are being leveraged in targeted attacks against Ivanti CSA customers. Additionally, three security flaws fixed in October 2024 were being chained with CVE-2024-8963 CSA admin bypass to compromise organizations’ systems. Ivanti software has nearly 40,000 customers and its widespread use coupled with this stream of newly-disclosed Ivanti vulnerabilities highlights the severity of the potential impact of a critical vulnerability like CVE-2024-11639 can have on organizations. APTs and other sophisticated cybercriminal groups are attracted to low-hanging fruit in software like Ivanti CSA making securing environments challenging for organizations that lack an effective patch maintenance policy.

Suggested Corrections:
Ivanti advises system administrators to upgrade vulnerable appliances to CSA 5.0.3 using detailed information available in this support document.

Link(s):
https://www.bleepingcomputer.com/news/security/ivanti-warns-of-maximum-severity-csa-auth-bypass-vulnerability/