Three critical vulnerabilities found in Ivanti Cloud Services Application

One is a perfect 10

Image:

Three critical vulnerabilities found in Ivanti Cloud Services Application

Ivanti has issued a critical security advisory warning customers of three critical vulnerabilities in its Cloud Services Application (CSA).

The most severe of the newly identified flaws, CVE-2024-11639, is an authentication bypass bug in the admin web console.

This flaw allows unauthenticated users to escalate their privileges to that of an administrator, granting them full access to the system. With a CVSS score of 10, this vulnerability represents the highest level of risk.

The other two vulnerabilities, CVE-2024-11772 and CVE-2024-11773, are rated 9.1 and are also classified as critical.

CVE-2024-11772 is a command injection flaw in the admin web console. Exploiting this flaw allows attackers with admin privileges to execute arbitrary code remotely.

CVE-2024-11773 is an SQL injection vulnerability in the admin web console. It could enable admin users to execute arbitrary SQL statements, potentially leading to unauthorised access and data breaches.

Ivanti credits CrowdStrike's Advanced Research Team for discovering these vulnerabilities and reporting them via a responsible disclosure programme.

The company said there is no evidence of active exploitation or any indicators of compromise (IOCs) related to these flaws prior to their public disclosure.

"We are not aware of any customers being exploited by these vulnerabilities prior to public disclosure. These vulnerabilities were disclosed through our responsible disclosure program," Ivanti stated.

"Currently, there is no known public exploitation of this these vulnerabilities that could be used to provide a list of indicators of compromise."

However, the chaining of these critical vulnerabilities poses a significant threat to users. Attackers could potentially chain CVE-2024-11639 and CVE-2024-11772 to bypass authentication and execute arbitrary commands, maximising the potential damage.

The flaws affect Ivanti CSA versions 5.0.2 and earlier, and Ivanti strongly recommends upgrading to CSA version 5.0.3 or later.

"In recent months, we have intensified our internal scanning, manual exploitation and testing capabilities, and have also made improvements to our responsible disclosure process so that we can promptly discover and address potential issues," Ivanti said in a blog post.

"We understand that secure software is not just a feature but a fundamental requirement in delivering reliable and trustworthy solutions. Ivanti remains steadfast in its mission to deliver secure, innovative, and effective products that our customers can rely on with confidence."

This is not the first time Ivanti's CSA has been in the cybersecurity spotlight this year.

In October, Fortinet disclosed that a sophisticated cyberattack, believed to be orchestrated by a nation-state adversary, was exploiting critical vulnerabilities in Ivanti's CSA to gain unauthorised access to sensitive systems.

The attackers leveraged three vulnerabilities – CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380 – to compromise the CSA and execute a series of malicious activities.

In addition to these vulnerabilities targeting the CSA, the attackers also exploited CVE-2024-29824, a critical vulnerability in Ivanti Endpoint Manager (EPM).

Also in October, the US Cybersecurity and Infrastructure Security Agency (CISA) included CVE-2024-9379 and CVE-2024-9380 in its Known Exploited Vulnerabilities (KEV) catalogue. These two flaws were being exploited in combination with CVE-2024-8963, a critical directory traversal vulnerability (CVSS score 9.4) that enables access to restricted functionality.

CISA noted that CVE-2024-8963, when chained with CVE-2024-8190, allowed attackers to bypass admin authentication and execute commands at the OS level.