Press ESC to close

Critical Ivanti CSA Auth Bypass (CVE-2024-11639) Patched Alongside Other High-Impact Flaws

Critical Ivanti CSA Auth Bypass (CVE-2024-11639) Patched Alongside Other High-Impact Flaws

Ivanti recently released critical security updates to address several high-impact vulnerabilities in its products, including the Cloud Services Appliance (Ivanti CSA), Connect Secure (ICS), and Policy Secure (IPS). These updates aim to mitigate severe risks, including Remote Code Execution (RCE), that could compromise enterprise systems.

The most pressing issue among these vulnerabilities is CVE-2024-11639, a maximum severity authentication bypass issue in Ivanti CSA.

What is CVE-2024-11639? Details of the Recent Authentication Bypass in Ivanti CSA

Among the vulnerabilities patched in Ivanti’s latest updates, CVE-2024-11639 stands out as the most critical, as mentioned. This authentication bypass flaw, assigned the highest CVSS severity score of 10.0, enables remote attackers to gain administrative access to vulnerable Ivanti CSA appliances without requiring authentication or user interaction.

CVE-2024-11639 allows exploiting an alternate authentication path in CSA versions 5.0.2 and earlier, enabling attackers to bypass security measures entirely, putting enterprise systems at significant risk if unpatched.

Ivanti products have a track record of being targeted by advanced attackers, including nation-state adversaries. For instance, CVE-2024-8190, along with two previously undisclosed vulnerabilities, was actively exploited by a nation-state group in October 2024. Similarly, in September 2024, another critical flaw in the Cloud Services Appliance (CVE-2024-8963) was exploited in real-world attacks.

Alongside CVE-2024-11639, Ivanti addressed two other critical-severity vulnerabilities in its Cloud Services Appliance (CSA) that pose significant risks to enterprise systems:

  • CVE-2024-11772 (CVSS 9.1): A command injection vulnerability in the CSA admin web console. This flaw allows authenticated administrators to execute remote code on the appliance, potentially compromising the system.
  • CVE-2024-11773 (CVSS 9.1): An SQL injection vulnerability that enables authenticated administrators to run arbitrary SQL queries. Exploiting this flaw could lead to unauthorized access to sensitive data or further compromise of the appliance.

Ivanti Recommends Upgrading to CSA 5.0.3 Immediately

Ivanti strongly advises all customers to upgrade to CSA version 5.0.3, which addresses these vulnerabilities.

As of the time of the advisory, there is no evidence of these flaws being exploited in the wild. However, given the critical nature of these vulnerabilities, immediate action is essential to prevent potential attacks.

Ivanti Connect Secure and Policy Secure Also Receive Important Patches (CVE-2024-11633, CVE-2024-11634)

Ivanti has also addressed significant vulnerabilities, tracked as CVE-2024-11633 and CVE-2024-11634, in its Connect Secure and Policy Secure products, both rated critical due to their potential to enable Remote Code Execution (RCE).

  • CVE-2024-11633 (CVSS 9.1): An argument injection vulnerability in Connect Secure. This flaw allows authenticated administrators to execute arbitrary code remotely, putting enterprise systems at risk of complete compromise.
  • CVE-2024-11634 (CVSS 9.1): A command injection vulnerability, which affects both Connect Secure and Policy Secure products of Ivanti. Its exploitation could enable authenticated administrators to execute remote code, and potentially lead to unauthorized control of affected devices.

How to Patch These Vulnerabilities

To mitigate these risks, Ivanti recommends upgrading to the patched versions:

  • Connect Secure 22.7R2.4
  • Policy Secure 22.7R1.2

By implementing these updates, you can ensure the security of your environment and prevent exploitation by attackers.

Addressing vulnerabilities like those recently patched in Ivanti products is essential to maintaining your organization’s security. Delays in fixing such flaws can result in actual breaches, disrupting your operations. Understanding which risks to tackle first and having the tools to act efficiently is key to reducing exposure.

SOCRadar’s Vulnerability Intelligence module helps you stay ahead by providing continuous monitoring and real-time alerts for newly discovered vulnerabilities and exploit activity. You’ll know when a vulnerability becomes a threat, enabling your team to act swiftly.

Vulnerability Intelligence module by SOCRadar – Track the latest CVEs, exploitation trends

Vulnerability Intelligence module by SOCRadar – Track the latest CVEs, exploitation trends

Paired with the Attack Surface Management (ASM) module, you gain unparalleled visibility into your digital environment. This tool identifies exposed assets and potential weak points, giving you the insights needed to assess and address risks before they can be exploited.

Monitor your vulnerabilities with SOCRadar’s ASM module (ASM Company Vulnerabilities page)

Monitor your vulnerabilities with SOCRadar’s ASM module (ASM Company Vulnerabilities page)

With SOCRadar, you’re equipped to both anticipate and respond to vulnerabilities. By combining actionable intelligence with clear visibility, these tools empower you to safeguard your organization’s assets and reduce your overall attack surface effectively. Protect your systems and stay one step ahead of potential threats.

High-Severity Vulnerabilities in Ivanti DSM, EPM, Sentry, and Other Products

In addition to the vulnerabilities patched in CSA, Connect Secure, and Policy Secure, Ivanti has addressed high-severity flaws in other products during December security updates. These include issues such as arbitrary file deletion and the modification of sensitive application components caused by insecure permissions. Affected products are:

  • Ivanti Desktop and Server Management (DSM)
  • Ivanti Endpoint Manager (EPM)
  • Ivanti Security Controls (iSec)
  • Ivanti Patch for Configuration Manager
  • Ivanti Neurons for Patch Management and Neurons Agent Platform
  • Ivanti Sentry

If you are using any of these products, refer to the individual advisories for patching details:

Leave a Reply

Your email address will not be published. Required fields are marked *