Governance & Risk Management , Network Firewalls, Network Access Control , Patch Management
Ivanti CSA Customers Targeted in New Zero-Day Attacks
Attackers Chain Three Security Flaws With Patched Admin Bypass VulnerabilityInternet appliance maker Ivanti warned customers Tuesday that attackers are actively exploiting new vulnerabilities in Cloud Services Appliance instances by chaining three security flaws with a zero-day patched in September.
See Also: Active Directory Masterclass | Think Like an Attacker, Defend Like a Pro
Ivanti in September announced emergency updates for version 4.6 of the Cloud Services Appliance that fixed a high-severity command injection issue, tracked as CVE-2024-8190. The flaw required attackers to have admin access, but cybersecurity researchers discovered they could brute force their way into it (see: Ivanti Vulnerability Again Forces Emergency Patches)
Ivanti gateway appliances earlier this year were at the center of an espionage hacking operation likely conducted by China. The company has since found itself on a treadmill of publishing security fixes as scrutiny by hackers and researchers alike uncovered a stream of vulnerabilities.
The three flaws are tracked as CVE-2024-9379, CVE-2024-9380 and CVE-2024-8963. They enable bad actors to run SQL commands, execute code and bypass security on vulnerable CSA gateways.
Ivanti on Tuesday acknowledged they have targeted a "limited number of customers." It recommended customers upgrade to version 5.0, since version 4.6 is at end of life.
"We have not observed these vulnerabilities being exploited in any version of CSA 5.0," the company said.
CVE-2024-9380 is a high-severity OS command injection bug allowing RCE. CVE-2024-9379 is a medium-severity SQL injection vulnerability that enables an authenticated attacker with admin rights to execute arbitrary SQL commands. CVE-2024-8963 was already incidentally fixed by the Sept. 10 patch.
To identify potential exploitation attempts, administrators should examine security alerts. They can also look for indicators of compromise by checking for newly created or modified admin user accounts.