The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Ivanti Virtual Traffic Manager authentication bypass vulnerability CVE-2024-7593(CVSS score of 9.8) to its Known Exploited Vulnerabilities (KEV) catalog.
In Mid-August 2024, Ivanti addressed the vulnerability CVE-2024-7593 that impacts Virtual Traffic Manager (vTM) appliances allowing attackers to create rogue administrator accounts.
Ivanti vTM (Virtual Traffic Manager) is a software-based traffic management solution designed to optimize and secure application delivery.
“Successful exploitation could lead to authentication bypass and creation of an administrator user.” reads the advisory published by the software firm. “Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel. “
The vulnerability is due to an incorrect implementation of an authentication algorithm that allows remote unauthenticated attackers to bypass authentication on Internet-facing vTM admin console.
The company addressed the flaw with the release of patch 22.2R1 (released 26 March 2024) or 22.7R2 (released 20 May 2024). The company explained that customers who have pointed their management interface to a private IP and restricted access can address the issue at their earliest convenience.
Ivanti stated that it is unaware of attacks exploiting this flaw in the wild, however it is aware of the public availability of Proof of Concept exploit code.
“We are not aware of any customers being exploited by this vulnerability at the time of disclosure. However, a Proof of Concept is publicly available, and we urge customers to upgrade to the latest patched version ” continues the advisory.
To limit the exploitability of this vulnerability, Ivanti recommends to limit Admin Access to the Management Interface internal to the network through the private / corporate network.
Below are instructions provided by the company:
1. On the VTM server navigate to System > Security then click the drop down for the Management IP Address and Admin Server Port section of the page
2. In the bindip drop down select the Management Interface IP Address. As another option, customers can also utilize the setting directly above the “bindip” setting to restrict access to trusted IP addresses, further restricting who can access the interface.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix this vulnerability by October 15, 2024.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)