WARNING: THREE ZERO-DAYS IN IVANTI’S CLOUD SERVICES APPLIANCE (CSA) ARE ACTIVELY EXPLOITED, PATCH IMMEDIATELY!
CVE-2024-9379 : CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H)
CVE-2024-9380 : CVSS 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-9381 : CVSS 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Sources
Risks
Ivanti has released security updates for three zero days affecting its Cloud Service Appliance (CSA).
Successful exploitation of these vulnerabilities could allow a remote attacker with admin privileges to bypass restrictions, run arbitrary SQL statements or achieve remote code execution.
The security vendor has uncovered limited exploitation of these zero-day vulnerabilities in association with another CSA vulnerability, CVE-2024-8963, which was patched last month.
An attacker exploiting CVE 2024 9379 could severely impact the Integrity and availability of affected systems while the exploitation of CVE 2024 9380 and CVE 2024 9381 could have a high impact on the confidentiality, integrity and availability on affected systems.
Description
CVE 2024 9379 is an SQL injection vulnerability in the admin web console of Ivanti CSA affecting versions before 5.0.2, which allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.
CVE-2024-9380 is an operating system (OS) command injection vulnerability in the admin web console of Ivanti CSA versions before 5.0.2, that allows a remote authenticated attacker with admin privileges to obtain remote code execution.
CVE-2024-9381 is a high-severity path traversal flaw in CSA affecting the same versions, which allows a remote authenticated attacker with admin privileges to bypass restrictions.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
The security vendor urge customers running CSA 5.0.1 and earlier versions to upgrade to 5.0.2.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
OSINT: https://thehackernews.com/2024/10/zero-day-alert-three-critical-ivanti.html