On October 9th, 2024, Ivanti, an IT software company from Utah, released an advisory disclosing three new zero-day vulnerabilities under active exploitation that were affecting their Cloud Services Appliance (CSA). an appliance for secure communication and functionality over the Internet. These three vulnerabilities – CVE-2024-9479, CVE-2024-9380, and CVE-2024-9381- have widespread exploitation and add to the increasing count of newly disclosed Ivanti vulnerabilities. Hackers have been found to chain the three flaws together with another zero-day path traversal vulnerability, CVE-2024-8963, disclosed back in September.
The Vulnerabilities
The first flaw in this chain, and the one on which the exploit chain depends, was published by Ivanti on September 19th. CVE-2024-8963 was classified as critical severity, receiving a CVSS v3 score of 9.4. If exploited by itself, it allows a remote, unauthenticated attacker to access restricted functionality. In October, three more vulnerabilities were added to the mix: CVE-2024-9479, CVE-2024-9380, and CVE-2024-9381. They were discovered due to Ivanti’s investigation of the exploitation chain of CVE-2024-8963 with CVE-2024-8190. CVE-2024-8963 is also involved in chained exploitation, with an OS command injection bug – CVE-2024-8190, where the attacker can bypass administrative authentications and achieve a remote code execution (RCE).
- CVE-2024-9379 is an SQL injection flaw, classified as medium severity, receiving a CVSS v3 score of 6.5. The issue occurs in the admin web console of the Cloud Services Appliance allowing the authenticated attacker to execute arbitrary SQL statements.
- CVE-2024-9380 is an operating system (OS) command injection vulnerability, classified as high severity, receiving a CVSS v3 score of 7.2. It is located in the admin web console of the Cloud Services Appliance and allows authenticated attackers with admin privileges to execute a remote code execution attack.
- CVE-2024-9381 is a path traversal flaw in the Cloud Services Appliance, classified as high severity, receiving a CVSS v3 score of 7.2. Its successful exploitation allows a remote attacker, authenticated with admin privileges, to bypass restrictions.
All these flaws impact CSA versions 5.0.1 and earlier. Cloud Services Appliance version 4.6 has reached an end-of-life, and the last security fix for this version was released on September 10th, 2024.
The Attacks
Although all three CVEs were initially reported as exploited, Ivanti has revised its advisory since publication and removed any indications that CVE-2024-9381 was exploited in any way. When approached, Ivanti admitted having mistakenly marked CVE-2024-9381 as exploited due to a “clerical error.” CVE-2024-9381 has been found internally, and the vendor is not aware of any exploitation in the wild. CISA also deleted CVE-2024-9381 from the Known Exploited Vulnerabilities Catalog.
So far, only Cloud Services Appliance 4.6 patch 518 and prior was exploited. No signs of exploitation of these flaws have been observed in any version of CSA 5.0. The observed attacks involve the newly discovered flaws with CVE-2024-8963. It is worth noting that CVE-2024-9479 and CVE-2024-9380 have not been exploited on their own but only when chained with CVE-2024-8963. Moreover, each attack chains CVE-2024-8963 with only one of the two ITW vulnerabilities at a time. Neither of them is being exploited at the same time.
Over the last months, Ivanti has discovered numerous vulnerabilities under active exploitation. This stream of disclosures arises due to the escalated internal testing and scanning of security issues, being part of a more efficient vulnerability discovery and disclosure process, ultimately addressing the issues faster. However, this comes a little late, as Ivanti promised to overhaul its internal processes to make the products more secure already back in May.
Current Solutions
Since multiple of the recently disclosed vulnerabilities are being exploited in the wild, it is of the utmost importance to apply the available security measures to defend against these issues. Luckily, Ivanti delivered a few options. As a first and most natural approach, customers are recommended to update the Cloud Services Appliance to the latest version – 5.0.2 at the time of the advisory publication. Customers running version 4.6 are urged to rebuild their CSA with version 5.0.2 since 4.6 versions have been actively exploited and will no longer be supported by the vendor because they reached end-of-life.
Apart from the version upgrade, Ivanti recommends its customers inspect the appliance for newly added or updated administrative users. They may also check for warnings from the endpoint detection and response (EDR) tools that are installed on the device to find indications of compromise. Some attempts, however inconsistent, can appear in the system-local broker logs.
