Ivanti has announced the release of critical software updates aimed at addressing numerous security vulnerabilities within its Endpoint Manager (EPM) software. Among these flaws, 10 have been classified as critical, posing significant risks that could potentially lead to remote code execution. The updates are particularly crucial for users of EPM versions 2024 and 2022 SU5 and earlier, as attackers could exploit these weaknesses to gain unauthorized access and control.
One of the most severe vulnerabilities identified is CVE-2024-29847, which has received a maximum Common Vulnerability Scoring System (CVSS) score of 10.0. This vulnerability stems from the deserialization of untrusted data, enabling a remote unauthenticated attacker to execute arbitrary code. Other vulnerabilities, all classified with a CVSS score of 9.1, include a series of SQL injection flaws (CVE-2024-32840 through CVE-2024-32885). These SQL injection vulnerabilities allow remote authenticated attackers with administrative privileges to similarly achieve code execution, further underscoring the threat these flaws pose.
In light of these findings, Ivanti has emphasized the necessity for users to upgrade to the latest versions, specifically EPM 2024 SU1 and 2022 SU6, to mitigate the risks associated with these vulnerabilities. While the company has stated that there is currently no evidence of the flaws being exploited in the wild as zero-day vulnerabilities, the potential for future exploitation necessitates prompt action from users.
Additionally, as part of its September update, Ivanti has also addressed seven high-severity vulnerabilities in other products, including Ivanti Workspace Control (IWC) and the Ivanti Cloud Service Appliance (CSA). The company has enhanced its internal security measures, including improved scanning capabilities and a more robust responsible disclosure process to identify and resolve vulnerabilities more effectively.
This announcement follows reported incidents of significant exploitation of zero-day vulnerabilities in Ivanti appliances, allegedly carried out by cyber espionage groups with links to China, highlighting the urgent need for robust cybersecurity practices. Moreover, Zyxel has disclosed a separate critical operating system command injection vulnerability (CVE-2024-6342) affecting its NAS devices, reinforcing the ongoing threats within the cybersecurity landscape.
The ZXSEC command injection vulnerability has been rated with a CVSS score of 9.8 and involves a flaw in the export-cgi program of the NAS326 and NAS542 devices, which could permit unauthenticated attackers to execute operating system commands via crafted HTTP POST requests. Zyxel has provided fixes for affected devices, which underscores the importance of timely updates to protect networked systems from potential exploitation.
Given the nature of these vulnerabilities, the potential use of adversarial tactics as outlined in the MITRE ATT&CK Matrix could involve techniques such as initial access via untrusted data deserialization, privilege escalation through SQL injection, and exploitation of command injection vulnerabilities. Business owners must remain vigilant in updating their systems and applying security patches to safeguard against emerging threats in an increasingly complex cyber environment.
Source Link : https://thehackernews.com/2024/09/ivanti-releases-urgent-security-updates.html
