Ivanti has warned that three new security vulnerabilities affecting its Cloud Service Appliance (CSA) are being actively exploited in the wild.
According to the Utah-based software services provider, the zero-day flaws were used as a weapon in conjunction with another CSA flaw that the company patched last month.
Successful exploitation of these vulnerabilities could allow an authenticated attacker with administrative privileges to bypass restrictions, execute arbitrary SQL statements, or receive remote code execution.
“We are aware of a limited number of customers running CSA patch 4.6 518 and earlier that have been exploited where CVE-2024-9379, CVE-2024-9380, or CVE-2024-9381 is associated with CVE-2024-8963” , — the company said.
There is no proof of use in client environments running CSA 5.0. A brief description of the three disadvantages is as follows –
- CVE-2024-9379 (CVSS Score: 6.5) – SQL injection in the Ivanti CSA Web Admin Console before version 5.0.2 allows a remote authenticated attacker with administrative privileges to execute arbitrary SQL statements
- CVE-2024-9380 (CVSS Score: 7.2) – Operating system (OS) command injection vulnerability in the Ivanti CSA Web Admin Console before version 5.0.2 allows a remote, authenticated attacker with administrative privileges to obtain remote code execution
- CVE-2024-9381 (CVSS Score: 7.2) – Path traversal in Ivanti CSA prior to version 5.0.2 allows a remote authenticated attacker with administrative privileges to bypass the restrictions.
The attacks observed by Ivanti involve a combination of the above deficiencies with CVE-2024-8963 (CVSS Score: 9.4), a critical path traversal vulnerability that allows a remote, unauthenticated attacker to gain access to limited functionality.
Ivanti said it discovered three new vulnerabilities as part of its investigation into the use of CVE-2024-8963 and CVE-2024-8190 (CVSS score: 7.2), another fixed bug in the implementation of OS commands in CSA, which was also abused in the wild.
In addition to updating to the latest version (5.0.2), the company recommends that users check the device for changed or newly added administrative users to look for signs of a breach or check for alerts from endpoint detection and response (EDR) tools installed on the device.
This comes less than a week after the US Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added security flaw affecting Ivanti Endpoint Manager (EPM) that was patched in May (CVE-2024-29824, CVSS Score: 9.6) in the Catalog of Known Vulnerabilities (KEV).
