Ivanti has issued a warning regarding three new security vulnerabilities affecting its Cloud Service Appliance (CSA) that are currently being actively exploited in the wild.
These zero-day flaws are being utilized along with another vulnerability in CSA that was patched by the company last month, according to the software services provider based in Utah.
If exploited successfully, these vulnerabilities could enable an authenticated attacker with admin privileges to bypass restrictions, execute arbitrary SQL statements, or achieve remote code execution.
“We are aware of a few customers running CSA 4.6 patch 518 or earlier who have been targeted when CVE-2024-9379, CVE-2024-9380, or CVE-2024-9381 are combined with CVE-2024-8963,” the company stated.
There is no evidence of exploitation against customers using CSA 5.0. A brief overview of the three vulnerabilities is as follows –
- CVE-2024-9379 (CVSS score: 6.5) – SQL injection in the admin web console of Ivanti CSA before version 5.0.2 enables a remote authenticated attacker with admin privileges to execute arbitrary SQL statements
- CVE-2024-9380 (CVSS score: 7.2) – A vulnerability in operating system (OS) command injection in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to achieve remote code execution
- CVE-2024-9381 (CVSS score: 7.2) – Path traversal in Ivanti CSA before version 5.0.2 enables a remote authenticated attacker with admin privileges to bypass restrictions
The attacks detected by Ivanti involve combining these vulnerabilities with CVE-2024-8963 (CVSS score: 9.4), a critical path traversal vulnerability that allows a remote unauthenticated attacker to access restricted functions.
Ivanti mentioned that it uncovered these three new vulnerabilities during its exploration of the exploitation of CVE-2024-8963 and CVE-2024-8190 (CVSS score: 7.2), another now-patched OS command injection issue in CSA that has been exploited in the wild.
In addition to updating to the latest version (5.0.2), the company suggests that users check the appliance for any modified or newly added administrative users, look for signs of compromise, or monitor alerts from endpoint detection and response (EDR) tools installed on the device.
This development follows less than a week after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) included a security flaw affecting Ivanti Endpoint Manager (EPM) that was resolved in May (CVE-2024-29824, CVSS score: 9.6) in the Known Exploited Vulnerabilities (KEV) list.
