Ivanti is reporting that a new vulnerability in its Cloud Service Appliance (CSA) is being actively exploited in the wild. This warning comes just days after the company stated CVE-2024-8190, an operating system command injection vulnerability, was being actively exploited by threat actors, impacting a limited number of CSA users.
The new vulnerability, designated CVE-2024-8963, is a path traversal flaw that could allow threat actors to bypass authentication and access restricted functions on vulnerable CSA deployments. According to Ivanti, threat actors have been observed combining both CVE-2024-8963 and CVE-2024-8190 to bypass authentication mechanisms and execute commands on vulnerable CSA systems.;
The new flaw was discovered during Ivanti’s investigation of the exploitation of CVE-2024-8190. Fortunately, the patch released to address CVE-2024-8190 also works for CVE-2024-8963, thus Ivanti is encouraging users who haven’t patched yet to do so as soon as possible.
Currently, the flaw only impacts CSA version 4.6, which has reached end-of-life status. Ivanti has advised that while patch 519 addresses both issues, it will be the last patch for version 4.6 so users should upgrade to CSA version 5.0 going forward.
Source: Bleeping Computer
Analysis
The exploitation of CVE-2024-8963 and CVE-2024-8190 demonstrates how quickly threat actors can develop exploits and deploy them against unpatched systems, despite a patch being available. This highlights the importance of maintaining a high patching cadence to deny threat actors these potential attack vectors before they can exploit them.
CVE-2024-8963 marks the seventh Ivanti vulnerability that the Cybersecurity and Infrastructure Security Agency (CISA) has listed in its Known Exploited Vulnerabilities (KEV) catalog in 2024, some of them zero days targeted by nation-state actors to deploy various custom malware strains. To the company’s credit, Ivanti recently implemented a more rigorous code review regime which it says is the reason for the discovery of so many recent vulnerabilities.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software like Ivanti CSA. Field Effect MDR users are automatically notified if a vulnerable or end-of-life version of CSA is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect strongly recommends users of affected CSA update to the latest version as soon as possible, in accordance with the advisory.
Administrators should also review configuration settings and access privileges for new or modified administrative users. If compromise is suspected, the CSA deployment should be rebuilt with patch 519 or ideally, upgraded to CSA 5.0.
Finally, administrators should run dual-homed CSA configurations with eth0 as an internal network to drastically reduce the risk of exploitation.
Related Articles