Pierluigi Paganini December 11, 2024

Ivanti addressed a critical authentication bypass vulnerability impacting its Cloud Services Appliance (CSA) solution.

Ivanti addressed a critical authentication bypass vulnerability, tracked as CVE-2024-11639 (CVSS score of 10), in its Cloud Services Appliance (CSA) solution.

A remote unauthenticated attacker can exploit the vulnerability to gain administrative access. 

The vulnerability was discovered by CrowdStrike’s Advanced Research Team and impacts 5.0.2 and prior.  

“An authentication bypass in the admin web console of Ivanti CSA before 5.0.3 allows a remote unauthenticated attacker to gain administrative access.” reads the advisory published by the company. 

The company also fixed a critical SQL injection vulnerability, tracked as CVE-2024-11772 (CVSS score of 9.1) in the admin web console of Ivanti CSA before version 5.0.3. A remote authenticated attacker with admin privileges can exploit the flaw to run arbitrary SQL statements.

The third issue fixed by the company is a critical SQL injection, tracked as CVE-2024-11773  (CVSS score of 9.1) in the admin web console of Ivanti CSA before version 5.0.3. A remote authenticated attacker with admin privileges can exploit the flaw to run arbitrary SQL statements too.

Ivanti released version CSA 5.0.3 to address the above issues, it also pointed out that is not aware of attacks in the wild exploiting the vulnerabilities.

“We are not aware of any customers being exploited by these vulnerabilities prior to public disclosure. These vulnerabilities were disclosed through our responsible disclosure program.” concludes the advisory. “Currently, there is no known public exploitation of this these vulnerabilities that could be used to provide a list of indicators of compromise.”

In early October, the software company warned of three new security vulnerabilities (CVE-2024-9379, CVE-2024-9380, and CVE-2024-9381) in its Cloud Service Appliance (CSA) that are actively exploited in attacks in the wild.

Below are the descriptions of the three vulnerabilities:

• CVE-2024-9379 (CVSS score 6.5) – a SQL injection in the admin web console of Ivanti CSA before version 5.0.2. A remote authenticated attacker with admin privileges can exploit the flaw to run arbitrary SQL statements.
• CVE-2024-9380 (CVSS score 7.2) – an OS command injection vulnerability in the admin web console of Ivanti CSA before version 5.0.2. A remote authenticated attacker with admin privileges can exploit the vulnerability to achieve remote code execution.
• CVE-2024-9381 (CVSS score 7.2) – a path traversal issue in Ivanti CSA before version 5.0.2. A remote authenticated attacker with admin privileges can exploit the flaw to bypass restrictions.

Threat actors are chaining these three vulnerabilities with the CSA zero-day CVE-2024-8963 (CVSS score of 9.4) that the software firm addressed in September.

Threat actors could exploit these vulnerabilities to carry out SQL injection attacks, execute arbitrary code via command injection, and bypass security restrictions by abusing a path traversal weakness on vulnerable CSA gateways.

“We are aware of a limited number of customers running CSA 4.6 patch 518 and prior who have been exploited when CVE-2024-9379, CVE-2024-9380 or CVE-2024-9381 are chained with CVE-2024-8963.” reads the advisory published by Ivanti. “We have no evidence of any other vulnerabilities being exploited in the wild. These vulnerabilities do not impact any other Ivanti products or solutions.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CSA)