Ivanti is reporting that a recently patched high-severity vulnerability in its Cloud Service Appliance (CSA) is now being actively exploited by threat actors, impacting a limited number of users. The vulnerability in question, CVE-2024-8190, is an operating system command injection vulnerability that could allow a threat actor with administrative privileges to conduct remote code execution (RCE).
Currently, the flaw only impacts CSA version 4.6, which has reached end-of-life status. Ivanti has advised that while patch 519 addresses the issue, it will be the last patch for version 4.6 so users should upgrade to CSA version 5.0 going forward.
Ivanti didn’t provide any further details on which groups were exploiting CVE-2024-8190 and whether proof-of-concept exploit code was publicly available.
The active exploitation of CVE-2024-8190 has caused the Cybersecurity and Infrastructure Security Agency (CISA) to add the vulnerability to its Known Exploited Vulnerability (KEV) catalog, a move that orders federal agencies to apply the fixes by October 4, 2024.
Source: The Hacker News
Analysis
Ivanti has struggled with vulnerabilities in many of its products in 2024, some of them zero days targeted by nation-state actors to deploy various custom malware strains. The company recently implemented a more rigorous code review regime which it credits for the discovery of many recent vulnerabilities, including a critical vulnerability in its Endpoint Management (EPM) software which was discovered and patched in early September.
It's likely that more vulnerabilities in Ivanti products will surface over the next few months because of its new review process. While this may cause some short-term perception that Ivanti products are insecure, the process will actually increase the security of Ivanti products by proactively finding and patching vulnerabilities before threat actors get the chance to exploit them.
As a result, this method would likely be effective against less experienced computer users who are unaware of the other ways to switch between windows and applications other than by clicking on the ‘X’ or pressing the Escape key.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software like Ivanti CSA. Field Effect MDR users are automatically notified if a vulnerable or end-of-life version of CSA is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect strongly recommends users of affected CSA update to the latest version as soon as possible, in accordance with the advisory.
Related Articles
