Ivanti patches exploited admin command execution flaw

The US Cybersecurity and Infrastructure Security Agency (CISA) just added the latest Ivanti weakness to its Known Exploited Vulnerability (KEV) catalog, a situation sure to annoy some – given that it's yet another path traversal flaw.

Following a string of high-profile path traversal bugs affecting IT vendors this year, the US's national cyber agency felt the need to plead with the infosec community to stamp out this class of vulnerability.

CISA complained earlier this year that these bugs have been around since the nineties and noted that since then, methods of ensuring they do not crop up in software have become well established and should be universally implemented by this point.

That May alert followed an announcement in February of a max-severity vulnerability in ConnectWise's ScreenConnect (CVE-2024-1708). Some researchers described it as "embarrassingly easy to exploit." Just weeks later, Cisco disclosed CVE-2024-20345, which affects its AppDynamics Controller. Both flaws were used to compromise users of the vendors' software, including on critical infrastructure platforms used in the health and public sectors, hence the CISA alert.

The latest to cause a stir is CVE-2024-8963, a path traversal bug affecting the end-of-life Ivanti Cloud Services Appliance (CSA) 4.6. It carries a critical severity rating of 9.4. 

The fix, which is out now and should be applied at the earliest possible opportunity, will be the last patch to be backported to this version, Ivanti said. Version 5.0 is the earliest customers can use and still receive ongoing security updates.

Ivanti explained that attackers can abuse the vulnerability to access restricted functionality, and if it's chained with a separate command injection flaw that was patched earlier this month (CVE-2024-8190, CVSS 7.2), then attackers could execute commands with admin privileges.

"We are aware of a limited number of customers who have been exploited by this vulnerability," Ivanti said.

For customers wanting to know how they can determine if they've been compromised, "Ivanti recommends reviewing the CSA for modified or newly added administrative users," the advisory reads.

"While inconsistent, some attempts may show up in the broker logs which are local to the system. We also recommend reviewing EDR alerts, if you have installed EDR or other security tools on your CSA. As this is an edge device, Ivanti strongly recommends using a layered approach to security and installing an EDR tool on the CSA."

Those who find signs of compromise are encouraged to rebuild the CSA with patch 519, or better yet, upgrade to version 5.0.

When CISA adds a vulnerability to the KEV catalog, it handily includes a section on whether the issue in question is known to be used in ransomware attacks. 

The current status for this is "unknown," although it's worth keeping an eye on if you have to delay the patch for whatever reason, as it may change now the world knows of the vulnerability's existence.

Secure-by-design, slowly-but-surely

For some time now, CISA has consistently pressured IT vendors to commit to secure-by-design (SBD) development practices. 

Just this week, in fact, the agency's boss Jen Easterly highlighted the issue again. Speaking at Mandiant's mWise conference on Wednesday, she said that vendors' failings are still causing all the problems that allow attackers to thrive.

Ivanti's CEO Jeff Abbott told customers in April that his organization would be adopting an SBD approach to development following a tricky – to put it mildly – start to the year.

"We will use this opportunity to begin a new era at Ivanti," he said. "We have challenged ourselves to look critically at every phase of our processes, and every product, to ensure the highest level of protection for our customers.

"We have already begun applying learnings from recent incidents to make immediate improvements to our own engineering and security practices. And there is more to come."

When Abbott referred to "recent incidents," he was talking about the vulnerabilities in Connect Secure and Policy Secure that were widely exploited in January, including at CISA, which swiftly ordered all fed agencies to rip out their Ivanti kit. 

Drastic measures for dire situations, and all that.

Experts at Volexity said if the mitigation wasn't applied on the day it was released, there was a "reasonable chance" that an organization's VPN could be exploited.

• CISA says 'no more' to decades-old directory traversal bugs
• Chinese snoops use F5, ConnectWise bugs to sell access into top US, UK networks
• Exploiting the latest max-severity ConnectWise bug is 'embarrassingly easy'
• Five Eyes nations reveal 2021's fifteen most-exploited flaws

In May, CISA launched its secure-by-design pledge at RSA, allowing vendors to make a public showing of their commitment to stamping out common weaknesses in products.

Announcing the pledge, Easterly hinted that a review of everyone's progress will take center stage at next year's RSA, so we'll know which vendors were serious about security for sure. 

The CISA director isn't afraid of calling it as it is, so we definitely wouldn't want to be a pledger that doesn't make meaningful progress when April comes around. ®