Ivanti, whose merchandise have been an enormous goal for attackers lately, has disclosed two extra crucial vulnerabilities in its applied sciences — elevating extra questions in regards to the safety of its merchandise within the course of.
One of many flaws, tracked as CVE-2023-41724 (CVSS vulnerability-severity rating of 9.6 out of 10) is a distant code execution vulnerability in Ivanti Standalone Sentry that researchers from NATO Cyber Safety Heart reported to the corporate.
The second flaw that Ivanti disclosed this week is CVE-2023-46808 (CVSS rating of 9.9) in Ivanti Neurons for IT Service Administration (ITSM).
Essential Severity Bugs
The Standalone Sentry flaw, which impacts all supported variations of the know-how (9.17.0, 9.18.0, and 9.19.0), permits an unauthenticated attacker to execute arbitrary code on the underlying working system. Older variations of Standalone Sentry are additionally in danger in keeping with Ivanti.
Thus far, the seller mentioned it has not seen any proof of menace actors exploiting the flaw within the wild. “Risk actors and not using a legitimate TLS shopper certificates enrolled by way of EPMM can’t straight exploit this situation on the Web,” Ivanti mentioned.
The vulnerability in Neurons for ITSM offers an authenticated distant attacker a method to write or add recordsdata to the ITSM server and acquire the flexibility to execute arbitrary code on it. As with the RCE flaw in Standalone Sentry, Ivanti mentioned it has seen no indicators of exploitation exercise up to now.
Ivanti has issued up to date variations of the affected merchandise to deal with every vulnerability. The corporate mentioned it realized of each flaws — and reserved a CVE quantity for them — late final yr, which is why the vulnerabilities have a 2023 CVE quantity. “It is Ivanti’s coverage that when a CVE just isn’t below energetic exploitation that we disclose the vulnerability when a repair is offered, in order that clients have the instruments they should shield their atmosphere,” the corporate famous.
Making a Unhealthy Observe File Even Worse
Since January the corporate has stored safety directors busy with a gradual stream of flaws in its merchandise, which in a number of situations menace actors had been fast to pounce upon. One working example is “Magnet Goblin” a financially motivated menace actor that was among the many quickest to use CVE-2024-21887, a command injection vulnerability in Ivanti Join Safe and Coverage Safe gateways.
The flaw was one among two zero-days that Ivanti disclosed in early January within the safe distant entry know-how — the opposite was CVE-2023-46805 — however for which the corporate didn’t situation a patch till weeks later. Throughout the interval, quite a few menace teams together with China-based superior persistent menace actors similar to UNC5221, aka UTA0178, actively exploited the bugs in mass assaults worldwide.
At the same time as beleaguered admins struggled to deal with these two preliminary flaws, Ivanti in late January disclosed two extra bugs in its Join Safe VPN know-how, CVE-2024-21888 and CVE-2024-21893, the latter of which was a zero-day bug below energetic exploitation at time of disclosure. Lower than two weeks later, the corporate disclosed yet one more flaw — CVE-2024-22024 — in its Ivanti Join Safe and Ivanti Pulse Safe applied sciences, which attackers as soon as once more had been fast to use.
The seemingly incessant bugs in Ivanti’s merchandise — and the danger they pose to the seller’s clients, a few of whom embrace very giant companies — predictably have dinged its repute in keeping with some researchers inside the group. Some have even described the failings — and the corporate’s comparatively sluggish responses to them — as posing an existential menace to companies.
