www.belgium.be Logo of the federal government

WARNING: THREE ZERO-DAYS IN IVANTI’S CLOUD SERVICES APPLIANCE (CSA) ARE ACTIVELY EXPLOITED, PATCH IMMEDIATELY!

Reference: 
Advisory #2024-237
Version: 
1.0
Affected software: 
Ivanti Cloud Services Appliance versions prior to 5.0.2
Type: 
SQL Injection, OS Command Injection, Path traversal
CVE/CVSS: 

CVE-2024-9379 : CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H)

CVE-2024-9380 : CVSS 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

CVE-2024-9381 : CVSS 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Sources

Ivanti: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-Cloud-Services-Appliance-CVE-2024-9379-CVE-2024-9380-CVE-2024-9381?language=en_US

Risks

Ivanti has released security updates for three zero days affecting its Cloud Service Appliance (CSA).
Successful exploitation of these vulnerabilities could allow a remote attacker with admin privileges to bypass restrictions, run arbitrary SQL statements or achieve remote code execution.

The security vendor has uncovered limited exploitation of these zero-day vulnerabilities in association with another CSA vulnerability, CVE-2024-8963, which was patched last month.

An attacker exploiting CVE 2024 9379 could severely impact the Integrity and availability of affected systems while the exploitation of CVE 2024 9380 and CVE 2024 9381 could have a high impact on the confidentiality, integrity and availability on affected systems.

Description

CVE 2024 9379 is an SQL injection vulnerability in the admin web console of Ivanti CSA affecting versions before 5.0.2, which allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.

CVE-2024-9380 is an operating system (OS) command injection vulnerability  in the admin web console of Ivanti CSA versions before 5.0.2, that allows a remote authenticated attacker with admin privileges to obtain remote code execution.

CVE-2024-9381 is a high-severity path traversal flaw in CSA affecting  the same versions, which allows a remote authenticated attacker with admin privileges to bypass restrictions.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
The security vendor urge customers running CSA 5.0.1 and earlier versions to upgrade to 5.0.2.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

OSINT: https://thehackernews.com/2024/10/zero-day-alert-three-critical-ivanti.html