Three more vulns spotted in Ivanti CSA, all critical, one 10/10

Ivanti just put out a security advisory warning of three critical vulnerabilities in its Cloud Services Application (CSA), including a perfect 10.

CSA is a tempting target for cyberattacks because of its central role in accessing internal organizational data and managing IT systems. If a criminal can compromise it, they may be able to intercept or manipulate confidential information, or potentially compromise other parts of the network.

Tracked as CVE-2024-11639, the headline vulnerability is an authentication bypass flaw in the admin web console, allowing unauthenticated users to grant themselves administrative privileges. It carries the maximum 10 CVSS rating.

Following close behind is a pair of 9.1 severity bugs, which are also grouped under the most severe "critical" category.

CVE-2024-11772 is a command injection flaw in Ivanti CSA's admin web console that allows for remote code execution if the attacker has admin privileges. The two vulnerabilities make an attractive prospect for attackers to chain together and cause damage.

Ivanti CSA's admin web console component is again the source of the third flaw, CVE-2024-11773 – an SQL injection vulnerability allowing admin users to run arbitrary SQL statements.

• Thousands of orgs at risk of knowledge base data leaks via ServiceNow misconfigurations
• Microsoft says it broke some Windows 10 patching – as it fixes flaws under attack
• Patch management still seemingly abysmal because no one wants the job
• ZDI shames Microsoft for – yet another – coordinated vulnerability disclosure snafu

All three issues affect Ivanti CSA versions 5.0.2 and earlier. Customers are encouraged to upgrade to 5.0.3 to address them all.

"We are not aware of any customers being exploited by these vulnerabilities prior to public disclosure," the vendor said in its advisory, adding that CrowdStrike's Advanced Research Team found and reported the issues to Ivanti via its responsible disclosure program.

Given the lack of exploitation information, Ivanti went on to say that it did not have any indicators of compromise (IOCs) to offer customers.

It's not the first time this year the admin web console of Ivanti's CSA has caught the attention of security pros. The US Cybersecurity and Infrastructure Security Agency (CISA) ordered federal civilian executive branch agencies to patch a number of vulnerabilities that were known to be chained in active attacks.

CISA added CVE-2024-9379 and CVE-2024-9380, SQL injection and OS command injection bugs respectively, to its KEV catalog in October. The two were being chained with CVE-2024-8963, a critical (9.4) directory traversal vulnerability used to access restricted functionality.

CISA also noted that if CVE-2024-8963 was chained with CVE-2024-8190, a different OS command injection bug in CSA disclosed in September, then it could allow an attacker to bypass admin authentication and pass commands to the OS. ®