US-based security solutions provider Ivanti has issued critical security updates for its cloud services appliance (CSA) following the discovery of several vulnerabilities. The flaws, tracked as CVE-2024-11639, CVE-2024-11772, and CVE-2024-11773, have been classified with high severity. One of the issues, CVE-2024-11639, received the highest possible common vulnerability scoring system (CVSSv3) score of 10 out of 10. These vulnerabilities affect CSA versions 5.0.2 and earlier, prompting urgent calls from Ivanti for affected users and administrators to upgrade to the latest version.
The most concerning of these vulnerabilities, CVE-2024-11639, allows unauthenticated attackers to bypass the authentication mechanism in the admin web console. This effectively means that a remote attacker could gain full administrative access to the affected system without needing to authenticate or interact with the device. The potential implications of such an exploit are significant, offering attackers the ability to manipulate or compromise sensitive systems.
In addition to the authentication bypass, Ivanti’s CSA is also vulnerable to a command injection flaw, identified as CVE-2024-11772. This vulnerability allows remote authenticated users with admin privileges to execute arbitrary code on the affected appliance. The ability to execute remote code opens the door for attackers to take full control of the system, further amplifying the security risks posed by these flaws.
The third vulnerability, CVE-2024-11773, involves an SQL injection in the admin web console. This allows attackers with admin access to run arbitrary SQL queries, which could lead to the modification or deletion of critical data stored within the system. Ivanti’s advisory credited CrowdStrike’s advanced research team for uncovering the vulnerabilities.
Ivanti’s recent patch record
The company has advised administrators to immediately update affected devices to CSA version 5.0.3. This latest round of updates comes just months after several other critical flaws were patched in Ivanti’s CSA product. In September and October, for example, the cybersecurity firm resolved several vulnerabilities related to remote code execution, authentication bypass, and SQL injection. These flaws had already been actively exploited in attacks, prompting Ivanti to accelerate its response and enhance its internal security scanning processes.
Additionally, Ivanti issued patches to address nearly 50 vulnerabilities across its products last month, including eight critical issues in Connect Secure, Policy Secure, and Endpoint Manager. These flaws, tracked as CVE-2024-38655, CVE-2024-38656, CVE-2024-39710 to CVE-2024-39712, and CVE-2024-11005 to CVE-2024-11007, involve argument and command injection vulnerabilities. Attackers with administrator access could exploit these weaknesses to execute remote code, posing a severe security risk.
The patches were rolled out in Connect Secure version 22.7R2.3 and Policy Secure version 22.7R1.2, which also addressed eight high-severity and two medium-severity flaws. These additional vulnerabilities could lead to privilege escalation, denial-of-service (DoS) attacks, and remote code execution (RCE).
Ivanti serves more than 40,000 organisations globally, providing critical solutions for managing and securing IT infrastructure. Users of Ivanti’s CSA are encouraged to review the security advisory and follow the recommended actions to secure their systems. Given the severity of the vulnerabilities, ensuring that appliances are updated to the latest version is crucial to maintaining the security and integrity of affected systems.
Read more: Millions of users at risk due to vulnerabilities in E2EE cloud storage
