What vulnerabilities were recently discovered in Ivanti Cloud Services Appliance (CSA)?

Ivanti has identified three new zero-day vulnerabilities in its Cloud Services Appliance (CSA): CVE-2024-9379 (SQL Injection Vulnerability), CVE-2024-9380 (OS Command Injection Vulnerability), and CVE-2024-9381 (Path Traversal Vulnerability). These vulnerabilities can be used alongside CVE-2024-8963 to compromise affected systems.

Which versions of Ivanti CSA are affected by the vulnerabilities?

The vulnerabilities affect Ivanti CSA version 4.6 patch 518 and earlier. Ivanti has stated that there is no evidence of exploitation against environments running CSA version 5.0 or later.

What is the severity of CVE-2024-9380, CVE-2024-9381, and CVE-2024-9379?

CVE-2024-9380 (OS Command Injection) and CVE-2024-9381 (Path Traversal) have a CVSS score of 7.2, while CVE-2024-9379 (SQL Injection) has a CVSS score of 6.5. All three vulnerabilities require an attacker to have administrative privileges on the affected CSA systems.

How are attackers exploiting these Ivanti CSA vulnerabilities?

Attackers are using CVE-2024-8963, a critical flaw patched in September 2024, in combination with the newly discovered vulnerabilities (CVE-2024-9379, CVE-2024-9380, CVE-2024-9381) to launch sophisticated attacks. Exploitation has been identified in a limited number of customer environments.

What steps should Ivanti CSA users take to protect their systems?

Ivanti advises all customers to immediately update their CSA appliances to version 5.0.2, which mitigates the identified vulnerabilities. This update is crucial to protect against potential exploitation.

Are there known exploits for the Ivanti CSA vulnerabilities?

Yes, there is evidence of active exploitation of the vulnerabilities in a limited number of environments using Ivanti CSA version 4.6 patch 518 and earlier. Users are strongly urged to update to version 5.0.2 to mitigate the risks.

Attack

Ivanti warns of three new actively Exploited flaws in Cloud Service Application

published: Oct. 8, 2024

Take action: Hacking of old versions of Ivanti Cloud Services Appliance escalates. Immediately update to latest 4.6 patch 519, or just replace it with a 5.0.x version, since 4.6 is end of life. There will be more of these flaws, and you won't get a patch.

Learn More

Ivanti has issued an alert about three newly discovered zero-day vulnerabilities affecting its Cloud Services Appliance (CSA), which are currently being exploited in the wild. These vulnerabilities, tracked as CVE-2024-9379, CVE-2024-9380, and CVE-2024-9381, can be used in conjunction with CVE-2024-8963, a critical flaw patched in September 2024, to compromise vulnerable systems.

Ivanti has identified exploitation in a limited number of customers using CSA 4.6 patch 518 and earlier. There is no evidence of exploitation against environments running CSA version 5.0 or later.

Overview of the Vulnerabilities:

CVE-2024-9380 (CVSS score 7.2) - OS Command Injection Vulnerability - An operating system command injection vulnerability that allows a remote authenticated attacker with administrative privileges to achieve remote code execution through the admin web console in Ivanti CSA before version 5.0.2. This could enable attackers to execute arbitrary commands on the affected systems, potentially leading to a complete system compromise.
CVE-2024-9381 (CVSS score 7.2) - Path Traversal Vulnerability - A path traversal vulnerability that enables a remote authenticated attacker with admin privileges to bypass security restrictions in Ivanti CSA before version 5.0.2. This flaw can allow access to restricted directories or files, potentially exposing sensitive information.
CVE-2024-9379 (CVSS score 6.5) - SQL Injection Vulnerability - This flaw allows a remote authenticated attacker with administrative privileges to execute arbitrary SQL statements through the admin web console in Ivanti CSA before version 5.0.2. An attacker could manipulate SQL databases, potentially altering or retrieving sensitive information.

Attackers are using CVE-2024-8963 which was patched in September in combination with the new vulnerabilities to execute sophisticated exploits.

Ivanti advises all customers to immediately update their CSA appliances to version 5.0.2, as it mitigates the identified vulnerabilities.

Ivanti warns of three new actively Exploited flaws in Cloud Service Application

Read More
CISA reports actively exploited Critical HPE OneView flaw
DrayTek routers in Vietnam actively attacked causing Internet …
Marimo Python Notebook RCE Exploited Hours After Disclosure
CISA warns of actively exploited NextGen Healthcare Mirth …
Scanning campaign targets critical Palo Alto GlobalProtect vulnerability