In a continuing series of security challenges, Ivanti has disclosed three new vulnerabilities in its Cloud Services Appliance (CSA) currently being exploited in the wild. This announcement is part of the company’s ongoing efforts to address and mitigate security risks in its products.
Vulnerability Details and Exploitation
The newly identified vulnerabilities, designated as CVE-2024-9379, CVE-2024-9380, and CVE-2024-9381, are being exploited in conjunction with a previously reported zero-day vulnerability (CVE-2024-8963). Ivanti reports that the exploitation of these vulnerabilities is currently limited.
Breakdown of the Vulnerabilities:
- CVE-2024-9379 (CVSS 6.5): Allows remote authenticated attackers with privileges to execute SQL statements.
- CVE-2024-9380 (CVSS 7.2): An operating system command injection vulnerability enabling remote authenticated attackers to achieve remote code execution with admin privileges.
- CVE-2024-9381 (CVSS 7.2): A path traversal vulnerability in Ivanti CSA versions before 5.0, allowing remote authenticated attackers to bypass restrictions with admin privileges.
Affected Systems and Mitigation
The vulnerabilities impact systems running CSA 4.6 patch 518 and earlier versions. Notably, Ivanti has found no evidence of exploitation on environments running CSA 5.0.
Ivanti’s Recommendations
To help users identify potential compromises, Ivanti has provided several recommendations:
- Review the CSA for any modified or newly added administrative users.
- Check EDR alerts if EDR or other security tools are installed on the CSA.
- Implement a layered approach to security, including installing an EDR tool on the CSA, given its role as an edge device.
If users suspect their systems have been compromised, Ivanti strongly recommends rebuilding the CSA with version 5.0.
