Ivanti has patched three additional Cloud Service Appliance (CSA) zero-day flaws, which have been exploited by attackers in conjuction with a zero-day bug the company accidentally fixed in September.
The fixed zero-days
“We are aware of a limited number of customers running CSA 4.6 patch 518 and prior who have been exploited when CVE-2024-9379, CVE-2024-9380 or CVE-2024-9381 are chained with CVE-2024-8963,” the company announced on Tuesday.
CVE-2024-8963 is a path traversal vulnerability that allows a remote unauthenticated attacker to access restricted functionality, and has been exploited along with CVE-2024-8190, an authenticated OS command injection vulnerability.
Both were patched by Ivanti in late September before the company warned about them having been exploited together by attackers to bypass admin authentication and execute arbitrary commands on vulnerable Cloud Service Appliances.
Now, it seems three more have been added to the mix:
- CVE-2024-9379 – an SQL injection flaw that can be triggered by a remote authenticated attacker with admin privileges
- CVE-2024-9380 – an OS command injection vulnerability that allows a remote authenticated attacker with admin privileges to achieve remote code execution
- CVE-2024-9381 – a path traversal vulnerability that allows a remote authenticated attacker with admin privileges to bypass restrictions
The “limited exploitation” of these vulnerabilities Ivanti says it observed was limited to CSA 4.6 patch 518 and below – CVE-2024-9379, CVE-2024-9380 and CVE-2024-9381 have been discovered while the company investigated the initial attacks.
They all affect CSA versions before version 5.0.2, i.e., Ivanti CSA v5.0.1 and prior, as well as the end-of-life Ivanti CSA v4.6. But, Ivanti says, they’ve only seen them exploited in CSA v4.6.
What to do?
“Please note, CSA 4.6 is end-of-life and the last security fix for this version was released on September 10,” the company noted, and advised customers to upgrade to CSA v5.0.2.
They’ve also advised customers to look for indicators of compromise: modified or newly added administrative CSA users.
“While inconsistent, some attempts may show up in the broker logs which are local to the system. We also recommend reviewing EDR alerts, if you have installed EDR or other security tools on your CSA,” they added. “If you suspect compromise, Ivanti’s recommendation is that you rebuild your CSA with version 5.0.2.”
Other security updates
Zero-day vulnerabilities in Ivanti solutions have been exploited by attackers in the past year or so to breach a variety of targets – including MITRE and Norwegian ministries – for cyberespionage and cryptomining purposes.
In this latest round of security updates, the company has plugged security holes in several other solutions, namely: Endpoint Manager Mobile, Velocity License Server, Avalanche, and Connect Secure and Policy Secure. None of those vulnerabilities are known to be under active exploitation.