WARNING: ACTIVELY EXPLOITED VULNERABILITIES FOUND IN IVANTI CLOUD SERVICES APPLIANCE, PATCH IMMEDIATELY!

Reference:
Advisory #2024-222

Version:
1.0

Affected software:
Ivanti Cloud Services Appliance (CSA) versions 4.6 Patch 518 and before

Type:
Remote Code Execution (RCE)

CVE/CVSS:
CVE-2024-8190: CVSS 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Sources

Ivanti - https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Cloud-Service-Appliance-CSA-CVE-2024-8190

Risks

An OS command injection vulnerability in Ivanti Cloud Services Appliance (CSA) versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution.

The attacker must have admin level privileges to exploit this vulnerability. This vulnerability has been listed in the Known Exploited Vulnerabilities of CISA. It has a high impact in all vectrices of the CIA triad.

Description

Successful exploitation could lead to unauthorized access to the device running the CSA. Dual-homed CSA configurations with ETH-0 as an internal network, as recommended by Ivanti, are at a significantly reduced risk of exploitation.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

For CSA 4.6, please update to this patch 519: https://forums.ivanti.com/s/article/CSA-4-6-Patch-519

Upgrade to CSA 5.0:  https://forums.ivanti.com/s/article/CSA-5-0-Download

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

CISA - https://www.cisa.gov/known-exploited-vulnerabilities-catalog