Threat actors are actively exploiting a high-severity vulnerability (CVE-2024-8190) in Ivanti’s Cloud Service Appliance (CSA) [7], impacting a limited number of users [1] [4] [6].
Description
This vulnerability allows for remote code execution by attackers with admin level privileges and is an operating system command injection flaw affecting CSA version 4.6. Initially considered uninteresting as an authenticated vulnerability [9], this flaw has been added to CISA’s Known Exploited Vulnerabilities (KEV) list on September 13, 2024 [9]. The vulnerability requires administrator-level privileges to exploit and allows for command injection through the handleDateTimeSubmit() function accessible via the internal interface with authentication. Exploitation involves supplying the application username and password [9]. The vulnerability has a CVSS score of 7.2 out of 10 and has been addressed with the release of Patch 519, the final security fix for this version [8]. Ivanti recommends configuring eth0 as the internal network interface to mitigate the risk of exploitation [9]. Successful exploitation could lead to unauthorized access to the device running the CSA [3] [9]. Limited exploitation has been confirmed, prompting customers to upgrade to CSA version 5.0 for continued support [8]. CISA recommends reviewing joint guidance on eliminating OS command injections and applying the recommended updates [5]. Federal Civilian Executive Branch agencies are required to remediate identified vulnerabilities by the specified due date [5]. Users are advised to update to the latest version of the appliance as soon as possible to prevent compromise [7]. Ivanti has released a security update for CSA 4.6 to address the vulnerability [2], but notes that this version is End-of-Life and customers must upgrade to Ivanti CSA 5.0 for continued support [2]. The severity of the vulnerability is rated as “high” with a seriousness ranking of 7.2 out of 10.0 [4]. CISA warns that exploitation of this vulnerability could lead to a threat actor taking control of an affected system [4]. Dual-homed CSA configurations with ETH-0 as an internal network [3], as recommended by Ivanti [3], are at a significantly reduced risk of exploitation [3]. Evidence suggests that the vulnerability is being exploited in the wild, and customers are urged to upgrade to version 5.0 to mitigate the risk [4] [10].
Conclusion
The exploitation of this vulnerability could have serious consequences, including unauthorized access to affected systems. It is crucial for users to upgrade to CSA version 5.0 and follow recommended security measures to mitigate the risk of exploitation. Future implications may include further security threats if the vulnerability is not addressed promptly.
References
[1] https://thehackernews.com/2024/09/ivanti-warns-of-active-exploitation-of.html
[2] https://securityaffairs.com/168388/hacking/ivanti-csa-cve-2024-8190.html
[3] https://www.cert.be/en/advisory/warning-actively-exploited-vulnerabilities-found-ivanti-cloud-services-appliance-patch
[4] https://www.crn.com/news/security/2024/ivanti-reports-exploitation-of-cloud-gateway-vulnerability
[5] https://www.cisa.gov/news-events/alerts/2024/09/13/ivanti-releases-security-update-cloud-services-appliance
[6] https://fieldeffect.com/blog/high-severity-vulnerability-in-ivanti-cloud-service-actively-exploited
[7] https://www.darkreading.com/threat-intelligence/ivanti-cloud-bug-exploit-alarms-raised
[8] https://www.csoonline.com/article/3520876/newly-patched-ivanti-csa-flaw-under-active-exploitation.html
[9] https://securityboulevard.com/2024/09/cve-2024-8190-investigating-cisa-kev-ivanti-cloud-service-appliance-command-injection-vulnerability/
[10] https://www.runzero.com/blog/ivanti-cloud-services-appliances/