WARNING: CRITICAL AND HIGH SEVERITY VULNERABILITIES FOUND IN MULTIPLE IVANTI PRODUCTS

Image
Decorative image
Published : 14/08/2024

Reference:
Advisory #2024-201

Version:
2.0

Affected software:
Ivanti Avalanche
Ivanti Neurons for IT Service Management (ITSM)
Ivanti Virtual Traffic Manager (vTM)

Type:
Multiple: Improper Authentication, Incorrect Implementation of Authentication Algorithm, Insertion of Sensitive Information into Debugging Code, Insecure Storage of Sensitive Information, Improper Certificate Validation

CVE/CVSS:
Ivanti Virtual Traffic Manager (vTM):

  • CVE-2024-7593: 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Ivanti Neurons for IT Service Management (ITSM):
  • CVE-2024-7569: 9.6 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
  • CVE-2024-7570: 8.3 HIGH (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
Ivanti Avalanche:
  • CVE-2024-38652: 8.2 HIGH (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H)
  • CVE-2024-38653: 8.2 HIGH (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)
  • CVE-2024-36136: 7.5 HIGH (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
  • CVE-2024-37399: 7.5 HIGH (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
  • CVE-2024-37373: 7.2 HIGH (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Sources

Vendor advisory Ivanti vTM: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Virtual-Traffic-Manager-vTM-CVE-2024-7593

Vendor advisory Ivanti Neurons for ITSM: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Neurons-for-ITSM-CVE-2024-7569-CVE-2024-7570

Vendor advisory Ivanti Avalanche: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Avalanche-6-4-4-CVE-2024-38652-CVE-2024-38653-CVE-2024-36136-CVE-2024-37399-CVE-2024-37373

Risks

Ivanti has patched critical and high severity vulnerabilities in 3 of their products:

  • Ivanti Virtual Traffic Manager (vTM):
    Exploiting this vulnerability CVE-2024-7593 could allow an attacker to bypass authentication and create an administrator user, leading to unauthorized access to the admin panel. This poses a severe threat, as it may result in a complete system compromise, enabling the attacker to view sensitive data, alter system configurations, and disrupt the normal operations of Ivanti vTM, severely impacting confidentiality, integrity, and availability.
     
  • Ivanti Neurons for IT Service Management (ITSM):
    Exploiting vulnerabilities CVE-2024-7569 and CVE-2024-7570 could allow an unauthenticated attacker to disclose sensitive information, such as the OIDC client secret, and gain unauthorized access to the ITSM system with any user’s privileges. This severe compromise threatens the system’s security, potentially leading to unauthorized data access, alteration of system settings, and disruption of ITSM services, significantly impacting confidentiality, integrity, and availability.
     
  • Ivanti Avalanche: Successful exploitation could result in remote code execution. These vulnerabilities have a high impact on confidentiality, integrity, and availability.

The most critical risk is the exploitation of CVE-2024-7593 in Ivanti Virtual Traffic Manager (vTM). This particular vulnerability in Ivanti vTM came under active exploitation barely 10 days after publication.

The Centre for Cybersecurity Belgium (CCB) recommends system administrators patch vulnerable systems as soon as possible and to follow the additional measures as recommended by the vendor. Analyse system and network logs for any suspicious activity. This report has instructions to help your organisation.


 

 

Description

Multiple vulnerabilities were fixed by the vendor.

  • Improper Authentication & Incorrect Implementation of Authentication Algorithm (CVE- 2024-7593) – Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel.
     
  • Insertion of Sensitive Information Into Debugging Code & Insecure Storage of Sensitive Information (CVE-2024-7569) – An information disclosure vulnerability in Ivanti ITSM on-prem and Neurons for ITSM versions 2023.4 and earlier allows an unauthenticated attacker to obtain the OIDC client secret via debug information.
     
  • Improper Certificate Validation (CVE-2024-7570) – Improper certificate validation in Ivanti ITSM on-prem and Neurons for ITSM Versions 2023.4 and earlier allows a remote attacker in a MITM position to craft a token that would allow access to ITSM as any user.
     
  • Path traversal in the skin management component of Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to achieve denial of service via arbitrary file deletion (CVE-2024- 38652).
     
  • XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server (CVE-2024-38653).
     
  • An off-by-one error in WLInfoRailService in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to crash the service, resulting in a DoS (CVE-2024-36136).
     
  • A NULL pointer dereference in WLAvalancheService in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to crash the service, resulting in a DoS (CVE-2024-37399).
     
  • Improper input validation in the Central Filestore in Ivanti Avalanche 6.3.1 allows a remote authenticated attacker with admin rights to achieve RCE (CVE-2024-37373).

Patched versions are available on the website of the vendor (See URLs in references).

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
The latest version of the involved product can be found on their website (See URLs in references).

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident

While patching appliances or software to the newest version may provide safety from future
exploitation, it does not remediate historic compromise.

References

Vendor advisory Ivanti vTM: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Virtual-Traffic-Manager-vTM-CVE-2024-7593

Vendor advisory Ivanti Neurons for ITSM: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Neurons-for-ITSM-CVE-2024-7569-CVE-2024-7570

Vendor advisory Ivanti Avalanche: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Avalanche-6-4-4-CVE-2024-38652-CVE-2024-38653-CVE-2024-36136-CVE-2024-37399-CVE-2024-37373