Ivanti warns high severity CSA flaw is now exploited in attacks

Ivanti confirmed on Friday that a high-severity vulnerability in its Cloud Services Appliance (CSA) solution is now actively exploited in attacks.

"At the time of disclosure on September 10, we were not aware of any customers being exploited by this vulnerability. At the time of the September 13 update, exploitation of a limited number of customers has been confirmed following public disclosure," Ivanti said in an update added to its August advisory.

"Dual-homed CSA configurations with ETH-0 as an internal network, as recommended by Ivanti, are at a significantly reduced risk of exploitation."

Ivanti advises admins to review the configuration settings and access privileges for any new or modified administrative users to detect exploitation attempts. Although not always consistent, some may be logged in the broker logs on the local system. It's also advised to review any alerts from EDR or other security software.

The security flaw (CVE-2024-8190) allows remote authenticated attackers with administrative privileges to gain remote code execution on vulnerable appliances running Ivanti CSA 4.6 through command injection.

Ivanti advises customers to upgrade from CSA 4.6.x (which has reached End-of-Life status) to CSA 5.0 (which is still under support).

"CSA 4.6 Patch 518 customers may also update to Patch 519. But as this product has entered End-of-Life, the preferred path is to upgrade to CSA 5.0. Customers already on CSA 5.0 do not need to take any further action," the company added.

Ivanti CSA is a security product that acts as a gateway to provide external users with secure access to internal enterprise resources.

Federal agencies ordered to patch by October 4

On Friday, CISA also added the CVE-2024-8190 Ivanti CSA vulnerability to its Known Exploited Vulnerabilities catalog. As mandated by Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies must secure vulnerable appliances within three weeks by October 4.

"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA warned.

Earlier this week, on Tuesday, Ivanti fixed a maximum severity flaw in its Endpoint Management software (EPM) that lets unauthenticated attackers gain remote code execution on the core server.

On the same day, it also patched almost two dozen other high and critical severity flaws in Ivanti EPM, Workspace Control (IWC), and Cloud Service Appliance (CSA).

Ivanti says it had escalated internal scanning and testing capabilities in recent months while also working on improving its responsible disclosure process to address potential security issues faster.

"This has caused a spike in discovery and disclosure, and we agree with CISAs statement that the responsible discovery and disclosure of CVEs is 'a sign of healthy code analysis and testing community,'" Ivanti said.

Ivanti has over 7,000 partners worldwide, and its products are used by over 40,000 companies to manage their systems and IT assets.