Ivanti warns of another critical CSA flaw exploited in attacks

Today, Ivanti warned that threat actors are exploiting another Cloud Services Appliance (CSA) security flaw in attacks targeting a limited number of customers.

Tracked as CVE-2024-8963, this admin bypass vulnerability is caused by a path traversal weakness. Successful exploitation allows remote unauthenticated attackers to access restricted functionality on vulnerable CSA systems (used as gateways to provide enterprise users secure access to internal network resources).

Attackers are using exploits that chain CVE-2024-8963 with CVE-2024-8190 — a high-severity CSA command injection bug fixed last and tagged as actively exploited on Friday — to bypass admin authentication and execute arbitrary commands on unpatched appliances.

"The vulnerability was discovered as we were investigating the exploitation that Ivanti disclosed on 13 September," Ivanti said today.

"As we were evaluating the root cause of this vulnerability, we discovered that the issue had been incidentally addressed with some of the functionality removal that had been included in patch 519."

Ivanti advises administrators to review alerts from endpoint detection and response (EDR) or other security software and configuration settings and access privileges for new or modified administrative users to detect exploitation attempts.

They should also ensure dual-homed CSA configurations with eth0 as an internal network to drastically reduce the risk of exploitation.

"If you suspect compromise, Ivanti's recommendation is that you rebuild your CSA with patch 519 (released 09/10/2024). We strongly recommend moving to CSA 5.0, where possible," the company further cautioned on Thursday.

"Ivanti CSA 4.6 is End-of-Life, and no longer receives patches for OS or third-party libraries. Additionally, with the end-of-life status the fix released on 10 September is the last fix Ivanti will backport to that version."

Federal agencies must patch as soon as possible

CISA has also added the CVE-2024-8190 and CVE-2024-8963 Ivanti CSA flaws to its Known Exploited Vulnerabilities catalog.

Federal Civilian Executive Branch (FCEB) agencies must now patch vulnerable appliances within three weeks by October 4 and October 10, respectively, as required by Binding Operational Directive (BOD) 22-01.

The company said last week that it had escalated internal scanning and testing capabilities and is also improving its responsible disclosure process to address potential security issues faster.

In recent months, several Ivanti flaws were exploited as zero-days in widespread attacks targeting the company's VPN appliances and ICS, IPS, and ZTA gateways.

"This has caused a spike in discovery and disclosure, and we agree with CISAs statement that the responsible discovery and disclosure of CVEs is 'a sign of healthy code analysis and testing community,'" Ivanti admitted.

Ivanti says it has over 7,000 partners worldwide, and more than 40,000 companies use its products to manage systems and IT assets.