A critical security flaw in Ivanti’s Cloud Service Appliance (CSA) has been identified as CVE-2024-8963 with a CVSS score of 9.4 [1]. This vulnerability has been actively exploited in attacks against a limited number of customers [1].

Description

This vulnerability allows remote unauthenticated attackers to access restricted functionality through Path Traversal [2] [4] [6]. By chaining this vulnerability with CVE-2024-8190 [1], attackers can bypass admin authentication and execute arbitrary commands on the appliance [1] [2], potentially leading to remote code execution (RCE). Ivanti has released a patch (CSA 4.6 Patch 519) to address this critical issue [1], but users are advised to upgrade to Ivanti CSA 5.0 for continued support [1]. The US Cybersecurity and Infrastructure Security Agency (CISA) has included this vulnerability in its Known Exploited Vulnerabilities catalog [6], requiring Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the specified due date to protect FCEB networks against active threats [3]. It is important for users to check for any modified or newly added administrative users on the CSA and review Endpoint Detection and Response (EDR) alerts [1]. Ivanti emphasizes the importance of a layered security approach and recommends installing an EDR tool on the appliance [1]. The vulnerability affects all versions of Ivanti CSA 4.6 before Patch 519 [5], allowing remote attackers to manipulate paths and access files that should be inaccessible without authentication or special privileges [5], making it easy to carry out [5]. When combined with another vulnerability (CVE-2024-8190) that could lead to remote code execution [5], attackers no longer need admin privileges to execute code remotely [5].

Conclusion

Users should promptly apply the patch provided by Ivanti or upgrade to Ivanti CSA 5.0 to mitigate the risk of exploitation. It is crucial for organizations to follow CISA’s guidance and remediate identified vulnerabilities to protect their networks. Implementing a layered security approach and monitoring for any suspicious activity are essential steps to enhance security posture and prevent future attacks.

References

[1] https://securityaffairs.com/168617/security/ivanti-cloud-services-appliance-cve-2024-8963.html
[2] https://www.darkreading.com/cyberattacks-data-breaches/ivanti-cloud-service-appliance-attacked-vuln
[3] https://www.cisa.gov/news-events/alerts/2024/09/19/ivanti-releases-admin-bypass-security-update-cloud-services-appliance
[4] https://digital.nhs.uk/cyber-alerts/2024/cc-4552
[5] https://www.cert.be/en/advisory/warning-actively-exploited-ivanti-csa-vulnerability-cve-2024-8963-patch-immediately
[6] https://thehackernews.com/2024/09/critical-ivanti-cloud-appliance.html