Tag Archive for: Ivanti

Joseph Lee

May 2024 Threat Tracking: Global CVE Disclosures Continue to Heat up

May 2024 made April’s record breaking CVE mountain into a mole-hill. The previous record for most CVEs published in a month grew by 36.9%. In total, a staggering 5061 vulnerabilities were added in May 2024. Considering the potentially high cost of a data breach, security teams need to stay in the loop with current cybersecurity trends, and the latest vulnerabilities. In this month’s threat tracker post, we will review several high profile enterprise software vendors suffering from newly discovered vulnerabilities in bulk and cover some of the latest known exploited vulnerabilities.

But first, we relay some news about one of our own – Christian Kuersteiner, a member of Greenbone’s vulnerability test development team, who’s responsible disclosure means that fewer vulnerabilities exist in the wild for attackers to take advantage of.

Greenbone’s Own Facilitating Responsible Disclosure

In May, Christian Kuersteiner, a software developer on the Greenbone team disclosed a vulnerability he had discovered in the Telerik Report Server. Telerik Report Server is a proprietary centralized Windows-based platform for managing and distributing reports. Rated as CVSS 5.5, the vulnerability could allow an unauthorized attacker to gain access to sensitive admin configuration data [CWE-200], and has since been published as CVE-2024-4837.

We asked Christian to describe what responsible security researchers do upon finding a bug. Here is what he had to say:

“Greenbone’s goal is to keep our customers safe. So naturally, we try to report vulnerabilities we find directly to the vendor with the details so they can provide fixes to their customers before attackers can take advantage. The people from Progress / Telerik and BugCrowd were very fast in responding, acknowledging, and fixing the vulnerability. The vulnerability was fixed, and a public advisory released within one week after reporting.”
Christian Kuersteiner, Security Researcher and Vulnerability Test Developer at Greenbone

In this instance, Christian’s contribution exemplifies how the bug reporting, aka responsible disclosure, process is meant to work. A vendor’s internal disclosure process triggers when a security researcher informs them of a bug. Since honorable software engineers are not the only people who may discover the bug, it could become a doorway for bad actors to gain a foothold on a network to steal data or deploy ransomware. In many cases, the damage extends to the general public as in the recent Change Healthcare breach.

Vendors are advised to follow best practices by posting a security.txt file [RFC-9116] at the root of their company domain, including a SECURITY.md file in public GitHub repositories, and enabling an email address such as security@example.com [RFC-2142] for receiving security related information.

Our story ends here on a positive note. Telerik has quickly released a security update that fixes the vulnerability. Users should update their instance of Report Server to version 2024 Q2 (10.1.24.514) or later to protect against CVE-2024-4837. Finally, CVE-2024-4837 can be detected by Greenbone with both an active check and a version detection test.

Cisco Reports 21 New Vulnerabilities – 10 High Severity; 2 Actively Exploited

May was a rough month for Cisco products with respect to vulnerabilities. A total of 21 new vulnerabilities were disclosed across a variety of Cisco products. Of these, ten were high severity. This follows on intel from late April, when 2 vulnerabilities in Cisco products were added to CISA’s known exploited vulnerabilities (KEV) catalog. Cisco Talos reported that these recent vulnerabilities are part of a nation-state cyber espionage campaign dubbed “ArcaneDoor” targeting perimeter network devices that began in January 2024.

  • CVE-2024-20353 (CVSS 8.6 High): A denial of service (DoS) vulnerability in the management and VPN web servers for Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) software caused by incomplete error checking when parsing an HTTP header, may allow an attacker remotely exploit a vulnerable system. CVE-2024-20353 is known to be actively exploited.
  • CVE-2024-20359 (CVSS 6.0 High): A vulnerability in Cisco ASA and Cisco FTD Software allows an authenticated, local attacker to execute arbitrary code with root-level privileges after uploading a malicious file from flash memory and reloading the system to alter its configuration. CVE-2024-20359 is known to be actively exploited.
  • CVE-2024-20356 (CVSS 8.7 High): A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) allows an attacker with admin access to the web-based management interface the ability to perform command injection attacks with system level privileges on the affected device. This potentially allows an attacker to perform actions outside the intended scope of the management interface to install malware or a rootkit. Furthermore, while CVE-2024-20356 has not been added to CISA’s KEV catalog yet, proof-of-concept (PoC) exploit code is publicly available.

Greenbone is able to identify impacted versions of Cisco’s ASA [1][2], Cisco FTD Software [3][4] and Cisco IMC [5] as well as other recently disclosed vulnerabilities in Cisco products.

GitLab Community and Enterprise Actively Exploited

First publicly disclosed in January 2024, a weakness in GitLab Community and Enterprise editions tracked as CVE-2023-7028 (CVSS 10 Critical) was tagged as actively exploited by CISA on May 1st, 2024. Remediating known actively exploited critical vulnerabilities should be top priority for enterprise IT security teams. In total, 13 new vulnerabilities affecting GitLab were disclosed in May 2024.

CVE-2023-7028 results from a failure to properly implement access controls [CWE-284] and allows an attacker to trigger password reset emails to be sent to an arbitrary email address. Exploitation allows an attacker to access administrator accounts on GitLab’s Community Edition (CE) and Enterprise Edition (EE), a web-based DevOps lifecycle tool and Git repository manager.

CVE-2023-7028 is present in all major versions of GitLab from 16.1 through to 16.7 that do not have the most recent patches installed. At least one publicly available PoC exploit, and a detailed technical description mean this vulnerability should be categorized as trivial to exploit going forward.

CVE-2024-4835 also stood out from the pile of May vulnerabilities in GitLab. With a CVSS of 8.0, CVE-2024-4835 is a cross-site scripting (XSS) vulnerability VS web-based code editor affecting GitLab in all versions of 15.11 though 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. By leveraging CVE-2024-4835, an attacker can craft a malicious page to exfiltrate sensitive user information.

35 New Adobe CVEs Stand Out Against The May Landscape

In May, Adobe disclosed a total of 45 vulnerabilities across various products. Out of these, a stunning 32 were classified as high severity with a CVSS score of 7.8 or above. All the high severity vulnerabilities are exploited by tricking a victim into opening a malicious file and may result in arbitrary code execution on behalf of an attacker.

These vulnerabilities are prime candidates for use in social engineering attacks such as malspam, phishing, spear phishing, and drive-by-download campaigns by major cybercrime groups, especially initial access brokers (IAB) to gain unauthorized initial access to victim’s computers and internal networks. Users are urged to update their software to the latest versions to mitigate the risks and more generally to be very cautious of any software not procured from the original vendor, and of opening any documents from untrusted sources.

Here is a summary of affected products:

  • Adobe Acrobat Reader: Acrobat Reader received a total of 11 new vulnerabilities. Of these, 9 were classified as high severity, each carrying a CVSS of 7.8. These vulnerabilities affect Adobe Acrobat Reader versions 20.005.30574, 24.002.20736, and earlier.
  • Adobe Framemaker: Adobe Framemaker received 8 new vulnerabilities, 5 of which are high severity. The affected versions include Adobe Framemaker 2020.5, 2022.3, and earlier.
  • Adobe Animate: Animate saw 7 vulnerabilities disclosed in May, with 5 classified as high severity. The vulnerabilities affect Animate versions 24.0.2, 23.0.5, and earlier.

A Typhoon Of Critical CVEs Hit ArubaOS

In May, HPE Aruba Networking disclosed a total of 28 vulnerabilities for its ArubaOS operating system. A staggering 16 of these were assessed as CVSS 9.8 high severity or above. ArubaOS has only one previously disclosed CVE so far in 2024, which was released in March making this month’s disclosure an anomaly. ArubaOS is considered a leader in WLAN management, security appliances including intrusion detection and prevention systems. As an indication of ArubaOS’s market share, Aruba Networking, a Hewlett-Packard subsidiary, posted revenue of $7.2B USD in Q2-2024.

The affected products include various services and protocols accessed via the PAPI protocol. Among the most affected components of ArubaOS, the command line interface (CLI) service and Central Communications service stood out, both with multiple high-severity vulnerabilities that could potentially offer attackers arbitrary code execution. Users are advised to apply the latest updates and follow the vendor’s resolution guide to mitigate affected products.

Greebone includes vulnerability tests to identify vulnerable ArubaOS instances, allowing IT security teams to identify, prioritize, and remediate these vulnerabilities by installing the security updates.

Apache ActiveMQ 6.x Deemed Insecure By Design

In late 2023, we covered an actively exploited CVSS 9.8 Critical vulnerability in Apache ActiveMQ. ActiveMQ is a message broker service that allows processes in a distributed architecture to share information in a queued list.

In May 2024, ActiveMQ came under fire again. This time its default configuration was assigned CVE-2024-32114 (CVSS 8.5 High), an unauthenticated exposure in the ActiveMQ management API’s Jolokia JMX REST API and Message REST API. The vulnerability allows attackers to freely interact with the broker to produce or consume messages (via the Jolokia JMX REST API) or purge or delete destinations (via the Message REST API).

Greenbone can detect CVE-2024-32114 by identifying vulnerable versions of ActiveMQ. To mitigate, users are recommended to add a security constraint to the default conf/jetty.xml configuration file to require authentication or upgrade to Apache ActiveMQ 6.1.2 where the default configuration has been updated with authentication by default.

According to CISA’s Security By Design principles and the EU’s tough new Cyber Resilience Act, products must be delivered with a secure default configuration as vendors, even open-source software vendors, are asked to take more responsibility for security outcomes imposed by their products.

Ivanti Fixes Multiple Vulnerabilities in Avalanche MDM System

Ivanti has previously been featured in Greenbone’s security advisories. Just last month, our April 2024 Threat Tracking reviewed how The MITRE Corporation suffered a breach via two previously disclosed Ivanti vulnerabilities in Ivanti Connect Secure VPN. Ivanti is now the subject of another critical vulnerability in its Avalanche Mobile Device Management (MDM) system.

Avalanche is designed to help organizations secure and manage their mobile devices, including smartphones, tablets, and other mobile endpoints. Tracked as CVE-2024-29204 with a CVSS of 9.8 Critical, the vulnerability is a heap overflow [CWE-122] in Avalanche’s WLAvalancheService component that could allow an unauthenticated remote attacker to execute arbitrary commands. All versions of Ivanti Avalanche before 6.4.3 are affected, and Greenbone’s Enterprise feed includes a version detection test to identify vulnerable instances.

Summary

May 2024 saw a significant rise in disclosed vulnerabilities, surpassing April’s record by 36.9% with a total of 5061 CVEs. In this month’s summary report, we have highlighted how one of Greenbone’s own developers participated in the responsible disclosure process to ensure vulnerabilities are identified and patched.

This month, high severity vulnerabilities were reported across many enterprise software and hardware products including various Cisco products, GitLab, Adobe’s suite of creative design products, HP’s ArubaOS, Apache ActiveMQ, and Ivanti’s Avalanche MDM system. Organizations must stay vigilant by staying current with vulnerability intelligence and making their best efforts to identify, prioritize, and patch exploitable weaknesses in their IT infrastructure.

Contact Free Trial Buy Here Back to Overview

/by
Joseph Lee

Proactive Cybersecurity Reduces the Cost of a Breach

From a bird’s eye view, the cumulative cost of cyber-crime is estimated to reach 9.2 Trillion USD globally in 2024. According to the 2023 IBM X-Force Cost of a Data Breach Report, a single breach imposes an average of 4.45M USD of financial damage on a victim and while US firms incur more than double the global average, German organizations fared on par with the global average.

The most staggering costs are incurred by post-breach remediation activities such as incident response, digital forensics, system recovery, and mandatory disclosure reporting, while regulatory fines can also significantly add to cyber breach costs. Change Healthcare has forecasted an expected loss of 1.6B USD this year due to a breach that occurred in March 2024 and as discussed below, regulatory fines may be pending.

These potential damages highlight the importance of proactive security measures for preventing successful cyber attacks but also mitigating the financial impact should one occur​. The Ponemon Institute found that missing security patches accounted for 57% of cyber attacks. Getting breached less often is an obvious benefit of implementing preventative cybersecurity measures, but according to IBM, organizations with proactive risk-based vulnerability management (RBVM), also experience lower than average expenses post-breach (3.98M USD) compared to organizations without such measures (4.45M USD), those suffering from a skills shortage (5.36M USD), or those deemed non-compliant with cybersecurity regulations (5.05M USD).

Cost Of The Change Healthcare Post Ransomware Attack

In March, 2024 Change Healthcare suffered a ransomware attack that has so far burdened the company with roughly 872M USD in damages, and delayed 6B USD in health insurance payments. Change Healthcare forecasts an annual expected loss of 1.6B USD due to the incident. Established in 2007, Change Healthcare is a leading healthcare technology company selling revenue cycle management, payment accuracy, and clinical data exchange services globally​. A 2022 acquisition saw the company valued at 8B USD​.

HIPAA Compliance Investigation Into Change Healthcare

On top of that steep damage, the US HHS Office for Civil Rights, the entity responsible for enforcing the Health Insurance Portability and Accountability Act (HIPAA), has opened an investigation into the attack seeking to determine whether Change Healthcare violated its compliance requirements. The HIPAA Security Rules require covered entities to implement “recognized security practices” to protect ePHI against reasonably anticipated security threats.

Continuous vulnerability management activities are a fundamental component of all modern cybersecurity frameworks. If it can be called a bright side, the most severe penalties for HIPPA non-compliance are capped at a mere 2M USD; short change in comparison to the overall cost of response and recovery for this particular incident.

The Greenbone Vulnerability Management platform is capable of implementing customized compliance tests to meet any framework including CIS, DISA STIG, HIPAA, and more, and Greenbone is certified for both its information security management systems ISMS (ISO 27001), quality management (ISO 9000), and most recently, environmental management (ISO-14001).

Contact Free Trial Buy Here Back to Overview

/by
Joseph Lee

April 2024 Threat Tracking: Record High For Security Vulnerabilities

April 2024 has compounded another record breaking month for CVE disclosure on top of the last. In this month’s threat tracking report we will investigate several new actively exploited vulnerabilities and quickly review the cyber breach of US R&D giant MITRE. The report will also uncover how end-of-life (EOL) products can have a detrimental impact on an organization’s cybersecurity posture and how to manage the associated risks.

MITRE Exploited Via Ivanti Secure Connect Vulnerabilities

The MITRE Corporation is a not-for-profit organization established in 1958, that operates multiple federally funded research and development centers (FFRDCs) to support the US national defense, cybersecurity, healthcare, aviation, and more. MITRE also maintains several core cybersecurity frameworks such as MITRE ATT&CK, D3FEND, and vulnerability resources including the Common Vulnerabilities and Exposures (CVE) database, the Common Weakness and Enumeration (CWE), and the Common Attack Path Enumeration (CAPEC).

A recent cyber breach of MITRE shows that even the most cyber savvy organizations are not immune to targeted attacks from Advanced Persistent Threats (APTs). Initial access to one of MITRE’s research networks was gained via two Ivanti Connect Secure VPN service vulnerabilities; CVE-2023-46805 (CVSS 8.2) and CVE-2024-21887 (CVSS 9.1). We previously published a full description of these vulnerabilities which can both be detected by Greenbone’s vulnerability tests. After initial access, attackers were able to pivot to adjacent VMware infrastructure [TA0109] using stolen session tokens [T1563] to bypass multi-factor authentication and access admin accounts.

If it can happen to MITRE it can happen to any organization, but patching known actively exploited vulnerabilities is a critical cybersecurity activity that all organizations need to place strong emphasis on.

Operation MidnightEclipse: Exploited PaloAlto Zero Day

On April 10 2024, exploitation of a yet-undiscovered zero-day vulnerability in the GlobalProtect feature of PaloAlto PAN-OS was detected and reported by researchers at cybersecurity firm Volexity. The vulnerability, now tracked as CVE-2024-3400 (CVSS 10), allows unauthenticated remote code execution (RCE) with root privileges, and has been added to the CISA KEV (Known Exploited Vulnerabilities) catalog. The Greenbone enterprise vulnerability feed includes tests to detect CVE-2024-3400 allowing organizations to identify affected assets and plan remediation.

PaloAlto’s Unit42 is tracking subsequent attacks under the name Operation MidnightEclipse and along with Shadowserver Foundation, and GreyNoise, have observed simple probes and full exploitation followed by data exfiltration and installation of remote command and control (C2) tools. Also, several proof of concept (PoC) exploits have been publicly disclosed [1][2] by third parties extending the threat by enabling attacks from low-skilled cyber criminals.

CVE-2024-3400 affects PAN-OS 10.2, PAN-OS 11.0 and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal. Hotfix patches PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3 are currently available to remediate affected devices without requiring a restart. A comprehensive guide for remediation is available in the Palo Alto Knowledge Base.

D-Link End-Of-Life Products Exploited Via Hardcoded Credentials

Two critical vulnerabilities have been discovered in NAS devices manufactured by D-Link, labeled as CVE-2024-3272 (CVSS 9.8) and CVE-2024-3273 (CVSS 9.8). The impacted devices include DNS-320L, DNS-325, DNS-327L, and DNS-340L, all of which have reached their end of support product lifecycle. According to D-Link patches will not be provided. Both CVEs are being actively exploited, and a proof of concept (PoC) exploit for CVE-2024-3273 is available online. Globally this affects an estimated 92,000 devices.

Vulnerable devices all contain a default administration account that does not require a password. Attackers can execute commands remotely by sending a specially crafted HTTP GET request to the /cgi-bin/nas_sharing.cgi URI on the NAS web-interface. Combined, the two vulnerabilities pose a severe risk, as they allow root remote code execution (RCE) without authentication on the target device [T1584]. This gives attackers access to potentially sensitive data [TA0010] stored on the compromised NAS device itself, but also a foothold on the victim’s network to attempt lateral penetration [TA0008] to other systems on the network, or launch attacks globally as part of a botnet [T1584.005].

Securing End-Of-Life (EOL) Digital Products

End-of-life (EOL) digital products demand special security considerations due to discontinued vendor support. Here are some defensive tactics for protecting EOL digital products:

  1. Risk Assessment: Conduct regular risk assessments to identify the potential impact of legacy devices on your organization, especially considering that newly disclosed vulnerabilities may not have vendor provided remediation issued.
  2. Vulnerability and Patch Management: Although EOL products may be officially unsupported by their vendors, in some emergency cases, patches are still issued. Vulnerability scanning and patch management help identify new vulnerabilities and allow defenders to seek guidance from the vendor on remediation options.
  3. Isolation and Segmentation: If possible, isolate EOL products from the rest of the network to limit their exposure to potential threats. Segmenting these devices can help contain security breaches and prevent them from affecting other systems.
  4. Harden Configuration and Policies: In some cases, additional policies or security measures such as removing Internet access altogether are appropriate to further mitigate risk.
  5. Update to Supported Products: Update IT infrastructure to replace EOL products with supported alternatives. Transitioning to newer technologies can enhance security posture and reduce the reliance on outdated systems.
  6. Monitoring and Detection: Implement additional monitoring and detection mechanisms to detect any suspicious activity exploitation attempts or attempts at unauthorized access to EOL products. Continuous monitoring can help identify malicious activity promptly and allow appropriate responses.

CVE-2024-4040 CrushFTP VFS Sandbox Escape Vulnerability

CISA has issued an order for all federal US government agencies to patch systems using CrushFTP service due to active exploitation by politically motivated hackers. Tracked as CVE-2024-4040 (CVSS 9.8), the vulnerability allows an unauthenticated attacker to access sensitive data outside of the CrushFTP’s Virtual File System (VFS) and achieve full system compromise. The vulnerability stems from a failure to correctly authorize commands issued via the CrushFTP API [CWE-1336].

CrushFTP is a proprietary file transfer software designed for secure file transfer and file sharing. It supports a wide range of protocols, including FTP, SFTP, FTPS, HTTP, HTTPS, WebDAV, and more. The vulnerability lies in CrushFTP’s Java web-interface API for administering and monitoring the CrushFTP server.

CrushFTP said there is no way to identify a compromised instance from inspecting the application logs. It turned out that CVE-2024-4040 is trivial to exploit and publically available exploits are available, greatly increasing the risk. Greenbone’s Enterprise feed includes a vulnerability test to identify the HTTP header sent by vulnerable versions of CrushFTP.

There are an estimated 6,000 publicly exposed instances of CrushFTP in the US alone and over 7,000 public instances globally. CVE-2024-4040 impacts all versions of the application before 10.7.1 and 11.1.0 on all platforms, and customers should upgrade to a patched version with urgency.

Summary

April 2024 was a record breaking month for CVE disclosure and new cybersecurity challenges, including several high-profile incidents. Ivanti’s Secure Connect VPN was used to gain unauthorized access to MITRE’s development infrastructure leading to internal network attacks.

Various politically motivated threat actors were observed exploiting a zero-day vulnerability in Palo Alto’s PAN-OS now tracked as CVE-2024-3400, and two new critical vulnerabilities in EOL D-Link NAS devices highlight the need for extra security when legacy products must remain in active service. Also, a critical vulnerability in the CrushFTP server was found and quickly added to CISA KEV forcing US government agencies to patch with urgency.

Contact Free Trial Buy Here Back to Overview

/by
Markus Feilner

Ivanti Connect Secure VPN: Greenbone protects against Zero Day

A series of flaws in Ivanti’s Connect Secure VPN is being actively exploited by attackers. Both the German BSI and the US government’s Cybersecurity and Infrastructure Security Agency (CISA) have spread a warning. CISA has even issued an Emergency Directive ordering all Federal Civilian Executive Branch (FCEB) agencies to apply patches immediately.

Thousands of publicly accessible Ivanti systems worldwide are at risk, many of which are located in Germany, the flaws are being actively exploited. Because Ivanti’s devices have been included in Greenbone’s vulnerability tests in the Enterprise Feed for several years, we were able to warn our customers as early as January 10 and have been continuously building tests for the most recent vulnerabilities. Nevertheless, Ivanti customers need to be alert and take action – the patches from Ivanti need a factory reset on the devices.

Remote Code Execution and Authentification Bypass

Since December, the American security expert Volexity had found two serious security vulnerabilities (CVE-2023-46805 and CVE-2024-21887, both published on January 12, 2024) in devices with Ivanti Connect Secure VPN. Products affected included Ivanti Connect Secure (formerly Ivanti Pulse Secure), Ivanti Policy Secure and Ivanti Neurons for Zero Trust Access (ZTA).

According to Ivanti’s official statement, the vulnerabilities allowed remote attackers to bypass authentication mechanisms, execute their own code without authorization and take control of systems. The manufacturer urgently advises its customers to implement the workarounds and continues to update communication in an article in the forum.

Patches were shipped end of January which also included fixes for three other severe vulnerabilities, that Ivanti had to warn about in late January and early February. (CVE-2024-21893, CVE-2024-21888 and CVE-2024-22024). These three security issues come at high risk, include server-side request forgery, privilege escalation and an XML external entity (XXE) vulnerability.

According to the vendor, security patches for all flaws have been delivered on February 1. Users that applied the February patch and who have made a factory reset should not require another one now.

Greenbone customers have been warned, but administrators need to take action

Due to the widespread use of Ivanti devices in Germany, Greenbone has been including tests for Ivanti Connect Secure for several years. While other available tests only check the version numbers of the software used, Greenbone’s vulnerability checks use extended functions and thus achieve a significant higher level of accuracy in reporting.

However, even though our products warn Greenbone customers faster and more accurately about potential vulnerabilities in Avanti devices, users still need to take action to apply all the measures recommended by the manufacturer. For example, it is quite possible that attackers have already exploited the vulnerability before it was published. Therefore, all customers must use the Integrity Checker provided by Ivanti to ensure the integrity of their installation.

The five security vulnerabilities in Ivanti VPN Gateway appliances according to NIST:

  • CVE-2023-46805 (CVSS 8.2 High): The authentication bypass vulnerability [CWE-287] in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows an attacker to access restricted resources by bypassing control checks.
  • CVE-2024-21887 (CVSS 9.1 High): The command injection vulnerability [CWE-77] in the web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows administrators to send specially crafted requests and execute arbitrary commands on the appliance.
  • CVE-2024-21893 (CVSS 8.2 High): A server-side request forgery vulnerability [CWE-918] in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.
  • CVE-2024-21888 (CVSS 8.8 High): A privilege escalation vulnerability [CWE-265] in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to administrator level.
  • CVE-2024-22024 (CVSS 8.3 High): An XML external entity or XXE vulnerability [CWE-643] in the SAML components of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.

Immediate Actions

The patches were initially released on January 22. Until users can download and install the official patches from Ivanti, they should follow these steps:

Contact Free Trial Buy Here Back to Overview

/by