Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: Actively Exploited Ivanti CSA Vulnerability CVE-2024-8963, Patch Immediately!
Image
Published : 20/09/2024
Reference:
Advisory #2024-225
Version:
1.0
Affected software:
Ivanti CSA 4.6 (Cloud Services Appliance)
Type:
Path Traversal vulnerability
CVE/CVSS:
CVE-2024-8963: CVSS 9.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L)
Sources
Risks
Ivanti has disclosed a critical vulnerability in its Cloud Services Appliance (CSA) before version 4.6 Patch 519, which could allow a remote, unauthenticated attacker to access restricted functionalities. The CSA is used to manage endpoints and is therefore a crucial part of the network security for many organizations. When paired with CVE-2024-8190, an attacker can bypass administrator authentication and execute arbitrary commands on the appliance.
Organizations still using CSA before version 4.6 Patch 519 are at significant risk of exploitation, especially as this vulnerability is actively being abused. The confidentiality and integrity of your systems could be severely compromised, potentially leading to unauthorized access, data theft, and operational disruption. Immediate action is necessary to update or upgrade your CSA software. Failing to do so puts your network and IT infrastructure at risk.
Description
CVE-2024-8963: Path Traversal in Ivanti CSA 4.6 (Critical)
This vulnerability affects all versions of Ivanti CSA 4.6 before Patch 519. By exploiting this vulnerability, a remote attacker can manipulate the paths, tricking the system into granting access to files that should be inaccessible. Since this attack requires no prior authentication or special privileges, it is easy to exploit.
Recently Ivanti released a patch for another vulnerability (CVE-2024-8190) that could lead to remote code execution if an attacker gained admin privileges. When that vulnerability is combined with this path traversal vulnerability, an attacker no longer needs admin privileges to perform remote code execution.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable instances with the highest priority, after thorough testing.
- Upgrade the Ivanti CSA 4.6 to CSA 5.0
- CSA 4.6 users can also update to Patch 519. Do note that this product has entered End-of-Life, therefore the strongly recommended path is to upgrade to CSA 5.0 because 4.6 will not receive any future updates.
- Read Ivanti’s advisory for detailed instructions: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-4-6-Cloud-Services-Appliance-CVE-2024-8963?language=en_US
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
- Review the CSA for any newly added or modified administrative users, which could indicate an exploitation attempt.
- Check broker logs for any inconsistencies or suspicious activity.
- If you use Endpoint Detection and Response (EDR) tools, monitor alerts closely for signs of compromise on the CSA.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
CCB advisory for CVE-2024-8190: https://ccb.belgium.be/advisories/warning-actively-exploited-vulnerabilities-found-ivanti-cloud-services-appliance-patch