Image source: Shutterstock
Attacks targeting CVE-2024-9379 and CVE-2024-9380 have impacted customers running the end-of-life CSA 4.6 for which the company issued the last security fix on Sept. 10.
Ivanti this week issued fixes for two new vulnerabilities in its Cloud Services Appliance (CSA) after discovering a threat actor abusing them in attacks against a “limited number” of its customers. It also patched a third vulnerability that however does not appear to be a zero-day.
The company identified the zero-day vulnerabilities as CVE-2024-9379 and CVE-2024-9380.
CVE-2024-9379 is a SQL injection vulnerability in the admin web console of Ivanti CSA. It allows a remote authenticated attacker with admin privileges to execute arbitrary SQL statements on an affected system.
CVE-2024-9380 is an OS command injection vulnerability in the same CSA component. An authenticated attacker with admin privileges can leverage the vulnerability to obtain remote code execution on affected devices.
The vulnerabilities affect CSA version 5.0.2 and below.
Here’s what you need to know about the flaws:
- A threat actor is separately chaining each newly disclosed zero-day(CVE-2024-9379 or CVE-2024-9380) with CVE-2024-8963, a previous path traversal bug in Ivanti CSA 4.6 that the vendor disclosed in September.
- The attacks that Ivanti observed affected customers running CSA 4.6 patch 518 and below and allowed the threat actor full unauthenticated remote code execution. Ivanti says it has not observed any exploitation of these vulnerabilities on any version of CSA 5.0.
- CSA 4.6 is end-of-life. Ivanti issued the last security fix for it on Sept. 10.
- CISA has added both flaws to its catalog of known exploited vulnerabilities. The deadline for Federal Civilian Executive Branch to apply Ivanti’s recommended fixes for the flaws—or to stop using the technology till they do it—is Oct. 30, 2024.
Ivanti discovered the two latest zero-days when investigating exploit activating involving CVE-2024-8963 and yet another bug CVE-2024-8190 in CSA 4.6 that the company disclosed on Sept. 10.
In addition to the zero-days. Ivanti’s bug disclosure this week included CVE-2024-9381 a path traversal bug in versions of Ivanti CSA prior to 5.0.2. This bug too allows for a remote authenticated attacker with admin privileges to bypass restrictions and execute arbitrary. Ivanti’s bug disclosure makes no mention of whether attackers are currently exploiting CVE-2024-9381. So it is likely safe to assume the bug is not a zer0-day.
Why the flaws matter
Ivanti’s CSA and other remote access products are popular attacker targets. In February, CISA warned of threat actors abusing multiple vulnerabilities in Ivanti’s Connect Secure and Policy Secure gateways. CIS authored the advisory in collaboration with multiple stakeholders including the FBI, Multi-State Information Sharing & Analysis Center (MS-ISAC) and cybersecurity officials from the governments of the UK, Australia, Canada and New Zealand.
Ivanti has exacerbated such concerns significantly by disclosing an almost non-stop barrage of high-severity bugs in its technologies that have kept security teams on their toes throughout the year.