Ivanti Identifies Active Exploitation of New Vulnerabilities in Cloud Service Appliance
Ivanti has issued an alert regarding three newly discovered security vulnerabilities in its Cloud Service Appliance (CSA), which are currently being actively exploited by attackers. These vulnerabilities add to the growing concerns over the security of this essential service, underscoring the importance of robust cybersecurity measures for organizations relying on cloud solutions.
The vulnerabilities in question are classified as zero-day flaws, indicating that they have been exploited before any remedy was made available. Unique to this situation is the fact that these newly identified flaws are being exploited in conjunction with a previously patched vulnerability in CSA, specifically CVE-2024-8963, which had been addressed in the prior month. Ivanti’s statement highlights that authenticated users with administrative privileges face significant risks should these vulnerabilities be exploited, as they may allow for unauthorized access, the execution of arbitrary SQL commands, and potential remote code execution.
Reports indicate that only a limited number of customers utilizing CSA version 4.6 patch 518 and older have been compromised by these vulnerabilities when they are sequenced with CVE-2024-8963. Notably, there is currently no evidence to suggest that CSA version 5.0, the latest iteration, has been affected. However, Ivanti has laid out the concerning attributes of the three newly discovered vulnerabilities, which include SQL injection (CVE-2024-9379), OS command injection (CVE-2024-9380), and path traversal (CVE-2024-9381). Each of these vulnerabilities possesses critical CVSS scores ranging from 6.5 to 7.2, marking them as significant risks to enterprise security.
The attacks linked to these vulnerabilities typically involve combining them with CVE-2024-8963, a severe path traversal vulnerability. This particular flaw has granted attackers the capacity to gain unauthorized access to sensitive functionalities within CSA. The exploitation of these vulnerabilities was uncovered during investigations into the ongoing exploitation of CVE-2024-8963 and another OS command injection flaw, CVE-2024-8190, which had also been under threat.
Ivanti strongly recommends that users promptly update their systems to CSA version 5.0.2, which mitigates these vulnerabilities. Additionally, users should conduct thorough reviews of their administrative user accounts for any dubious modifications or newly added accounts that could indicate a breach. Endpoint Detection and Response (EDR) tools should also be monitored for alerts, as these can provide critical insights into potential compromises.
These revelations come shortly after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a serious flaw found in Ivanti Endpoint Manager (EPM) to its Known Exploited Vulnerabilities catalog. The recent activities surrounding many of Ivanti’s products reflect a notable increase in scrutiny and need for vigilance among organizations using these tools.
Furthermore, it’s worth noting that Ivanti has revised an earlier advisory concerning CVE-2024-9381, which was mistakenly labeled as actively exploited due to a clerical error. The company confirmed that this specific vulnerability has not been observed to be exploited in the wild.
In light of the recent developments, CISA has added CVE-2024-9379 and CVE-2024-9380 to its catalog, mandating that federal agencies apply the necessary patches by October 30, 2024. Organizations must remain proactive in addressing these vulnerabilities to secure their operations effectively.
This incident highlights the pressing need for awareness and responsiveness to vulnerabilities in cloud services, especially for businesses that are becoming increasingly reliant on these technologies for their infrastructure. The tactics employed by attackers in exploiting these vulnerabilities could be linked to several adversarial techniques outlined in the MITRE ATT&CK framework, particularly initial access, privilege escalation, and execution, which are critical to understanding the patterns and methods employed in these cyber threats. As organizations strive to safeguard their systems, remaining informed about these vulnerabilities and ensuring prompt updates will be essential in mitigating risks.
