The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a critical vulnerability in Ivanti’s Virtual Traffic Manager (vTM) to its Known Exploited Vulnerabilities (KEV) catalog.
The flaw, designated CVE-2024-7593, is due to an erroneous authentication algorithm that, when exploited, could allow threat actors to remotely bypass authentication requirements on exposed vTM appliances and create rogue administrator accounts. vTM is an application delivery controller (ADC) that provides traffic management and load balancing for critical business services.
Ivanti issued a patch for CVE-2024-7593 in August and stated at that time that it hadn’t observed any exploitation of CVE-2024-7593 in the wild, but it was aware of at least one publicly available Proof-of-Concept (PoC) exploit. However, CISA hasn’t indicated if that specific PoC was responsible for the recent exploitation.
The active exploitation of CVE-2024-7593 has caused CISA to issue an order for all Federal Civilian Executive Branch (FCEB) agencies to patch the flaw before October 15.
Source: The Hacker News
Analysis
It was only a matter of time before CVE-2024-7593 was exploited, given the availability of at least one PoC and threat actors’ propensity to target Ivanti systems. However, given that a patch has been available for a month, any administrators who rightfully applied it already would have denied threat actors the opportunity to exploit these systems.
Ivanti has struggled with vulnerabilities in many of its products in 2024, some of them zero days targeted by nation-state actors to deploy various custom malware strains. The company recently implemented a more rigorous code review regime which it credits for the discovery of many recent vulnerabilities, including a critical vulnerability in its Endpoint Management (EPM) software which was discovered and patched in early September.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software like Ivanti’s vTM. Field Effect MDR users were automatically notified if a vulnerable version of vTM was detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect strongly recommends users of affected vTM appliances to update to the latest version as soon as possible, in accordance with the advisory. Field Effect also recommends that systems like vTM aren’t exposed to the open internet without proper controls like IP whitelisting and VPN requirements unless there is a legitimate business need to do so.
Organizations may verify their security by ensuring the vTM Audit Logs Output does not contain any unauthorized administrator-level user accounts.
Related Articles
