WARNING: A CRITICAL AUTHENTICATION BYPASS VULNERABILITY IS AFFECTING IVANTI CLOUD SERVICES APPLIANCE

Published : 11/12/2024

Reference:
Advisory #2024-289

Version:
1.0

Affected software:
Ivanti Cloud Service Appliance (CSA) before 5.0.3

Type:
Authentication Bypass, Remote Code Execution (RCE), SQL Injection (SQLi)

CVE/CVSS:

CVE-2024-11639 CVSS: 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

CVE-2024-11772 CVSS: 9.1(CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

CVE-2024-11773 CVSS: 9.1(CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

Sources

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Cloud-Services-Application-CSA-CVE-2024-11639-CVE-2024-11772-CVE-2024-11773?language=en_US

Risks

Ivanti offers products to manage IT systems and assets. Ivanti’s Cloud Services Appliance (CSA) is an Internet appliance that provides secure communication and functionality over the Internet.

The critical authentication bypass vulnerability has a HIGH impact on Confidentiality, Integrity and Availability and can be chained to the exploitation of a remote code execution (RCE) vulnerability for the complete takeover of the underlying system OR to perform SQL Injections against the system’s

underlying database.

Lastly, it is worth noting that several other vulnerabilities were exploited earlier this year in campaigns targeting Ivanti VPN appliances and ICS, IPS, and ZTA gateways.

Description

VE-2024-11639 : Authentication Bypass

This is a maximum-severity authentication bypass vulnerability in the administrator’s web console of Ivanti Cloud Services Appliance (CSA).

Exploitation of the present vulnerability allows remote unauthenticated attackers to gain administrative access to the admin web console.

The vulnerability is particularly dangerous, as it can be chained to CVE-2024-11772 for a complete takeover of the underlying system, or with CVE-2024-11773 in order to perform SQL Injections with administrative rights on the system’s underlying database.

CVE-2024-11772 : Remote Code Execution (RCE)

This command injection vulnerability in the admin web console of Ivanti CSA allows a remote authenticated attacker with admin privileges to achieve remote code execution.

CVE-2024-11773 : SQL Injection (SQLi)

SQL injection in the admin web console of Ivanti CSA allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for the vulnerable software mentioned in the present advisory through Ivanti’s download portal.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

https://www.bleepingcomputer.com/news/security/ivanti-warns-of-maximum-severity-csa-auth-bypass-vulnerability/

https://nvd.nist.gov/vuln/detail/CVE-2024-11639

https://nvd.nist.gov/vuln/detail/CVE-2024-11772

https://nvd.nist.gov/vuln/detail/CVE-2024-11773