Ivanti CSA Vulnerabilities in Active Exploitation

October 8, 2024
|In Cybersecurity News
|By Dan Duran

Ivanti has alerted its customers to three new security flaws affecting its Cloud Service Appliance (CSA). These vulnerabilities are now being actively exploited by attackers.

You might be interested in: Serious Security Flaw in WordPress LiteSpeed Cache Plugin

The Utah-based software company confirmed that these zero-day vulnerabilities are being used alongside another previously discovered flaw in the CSA, which was fixed last month.

What’s at Risk?

If these vulnerabilities are successfully exploited, an attacker with administrative access could bypass security measures, execute harmful SQL commands, or even take control of the system remotely.

Ivanti explained, “A limited number of customers using CSA 4.6 patch 518 or earlier have already been affected by a combination of vulnerabilities: CVE-2024-9379, CVE-2024-9380, and CVE-2024-9381, together with CVE-2024-8963.”

On a positive note, Ivanti has confirmed that there is no evidence that CSA version 5.0 has been impacted.

Breakdown of the Vulnerabilities

Here’s a brief look at the newly discovered vulnerabilities:

  • CVE-2024-9379 (CVSS score: 6.5): This SQL injection flaw affects the admin console in CSA versions earlier than 5.0.2. It allows a remote attacker with admin rights to run arbitrary SQL commands.
  • CVE-2024-9380 (CVSS score: 7.2): An operating system command injection flaw in the admin web portal of CSA prior to version 5.0.2. This vulnerability lets an attacker with admin privileges remotely execute harmful code.
  • CVE-2024-9381 (CVSS score: 7.2): This path traversal vulnerability in CSA prior to version 5.0.2 allows attackers with admin access to bypass restrictions and gain access to restricted areas.

A Critical Exploit: CVE-2024-8963

Ivanti has also highlighted CVE-2024-8963, a critical flaw with a CVSS score of 9.4. This path traversal vulnerability allows remote attackers without authentication to access sensitive functions. Attackers are combining this flaw with the previously mentioned vulnerabilities to compromise systems.

Further Investigation Reveals More Vulnerabilities

As Ivanti investigated the exploitation of CVE-2024-8963 and CVE-2024-8190  (another OS command injection issue with a CVSS score of 7.2), they uncovered three additional vulnerabilities. These have now been patched but were actively exploited in the wild before the fixes were released.

What You Should Do

Ivanti strongly advises users to update to the latest CSA version (5.0.2) as soon as possible. They also recommend checking the appliance for any suspicious changes to admin users, which may indicate a compromise. Additionally, users should review any alerts generated by their endpoint detection and response (EDR) systems.

Recent Developments in Known Exploits

The United States Cybersecurity and Infrastructure Security Agency (CISA) recently added another Ivanti vulnerability, CVE-2024-29824 (CVSS score: 9.6), to the Known Exploited Vulnerabilities (KEV) catalog. This vulnerability, which affected Ivanti Endpoint Manager (EPM), was fixed in May but is still considered a significant security risk.

Breaches