Zero-Day Alert: Three Critical Ivanti CSA Vulnerabilities Actively Exploited
Background
Three recently identified zero-day vulnerabilities in Ivanti’s Cloud Service Appliance (CSA) are being actively exploited, the company has notified its customers. These vulnerabilities—tracked as CVE-2024-9379, CVE-2024-9380, and CVE-2024-9381—allow threat actors to carry out path traversal, SQL injection, and command injection attacks. If ignored, these vulnerabilities could result in significant consequences.
The company revealed in a recent advisory that these zero-day exploits had already been used to target a number of clients who were running older versions of CSA by combining them with a known vulnerability, CVE-2024-8963.
The most recent Ivanti fixes also include an important Remote Code Execution (RCE) vulnerability that affects Policy Secure and Connect Secure. The fact that this vulnerability’s technical and exploitation information is also public makes it even more serious and increases the need for organizations to upgrade their systems immediately.
In order to recognize the ongoing exploitation, CISA added CVE-2024-9379 and CVE-2024-9380 to its list of known exploited vulnerabilities. Users are asked by CISA to fix the vulnerabilities by October 30, 2024, at the latest.
Technical Details
Ivanti fixed CVE-2024-8190, a serious RCE vulnerability in Ivanti CSA, in September. It was found soon after the patch that attackers were using CVE-2024-8963 in conjunction with this vulnerability to enable remote code execution and avoid authentication.
The company most recently revealed that in order to target a specific subset of customers, CVE-2024-8963 has also been chained with other Ivanti CSA vulnerabilities. Ivanti’s advise only validates the usage of CVE-2024-9379 and CVE-2024-9380 in exploit chains, despite the fact that their notice highlights the combination of three new vulnerabilities (CVE-2024-9379, CVE-2024-9380, and CVE-2024-9381) with CVE-2024-8963.
CVE-2024-9379:
The Ivanti CSA admin online panel has a SQL injection vulnerability. If the vulnerability is successfully exploited, any SQL statement can be executed by a remote, authenticated attacker with administrator privileges.
CVE-2024-9380:
There is an OS command injection vulnerability in the Ivanti CSA admin web portal. An attacker with admin capabilities who successfully exploits the vulnerability can execute code remotely through remote authentication.
CVE-2024-9381:
Ivanti CSA has this path traversal vulnerability. If the vulnerability is successfully exploited, restrictions can be circumvented by a remote, authenticated attacker with administrator rights.
Affected versions:
The vulnerabilities in question, which permit unauthenticated remote code execution, are proven to impact Ivanti CSA versions 5.0.1 and prior. Of special note is CSA version 4.6 patch 518 and lower.
Rather than exploiting all of them at once, as Ivanti notes, threat actors seem to be chaining CVE-2024-8963 with CVE-2024-9379 OR CVE-2024-9380 in each attack. It’s also been made clear by Ivanti that environments running CSA 5.0 do not now show any signs of exploitation.
Recommendations
Customers must upgrade to Ivanti Cloud Services Appliance version 5.0.2 to patch the vulnerabilities.