Alert essentials:
Multiple vulnerabilities in Ivanti products have been patched, and the manufacturer is committed to improving product security.
No known exploits are in the wild, yet it is advised to patch vulnerable systems as soon as possible.
Detailed threat description:
Fixes for 11 critical and high vulnerabilities in various products were released on December 10th. The weaknesses vary in cvss scores, with an authentication bypass getting a perfect 10. CVE-2024-11639 allows a remote unauthenticated threat actor full access to the administrator web console of Ivanti Cloud Services Application (CSA) versions before 5.0.3.
With over 60 serious vulnerabilities reported since October 2024, Ivanti is reviewing internal operations for improvements. Along with the patch rollout, Ivanti has been analyzing internal processes to improve its line of security solutions.
Ivanti has taken a Secure by Design pledge and is committed to elevating the security of its products. Ivanti has intensified internal scanning, manual exploitation, and testing procedures and improved its disclosure process.
Additionally, Ivanti began releasing standard security patches on the second Tuesday of the month. Understanding secure software is fundamental; this scheduled release will allow the proper allocation of client resources and more timely deployment of product updates.
Widely utilized across government agencies, defense contractors, and large corporations, Ivanti tools are desirable targets for cybercriminals and nation-state actors.
While no exploitation of these flaws is known, it is highly recommended that version updates be applied to vulnerable devices as soon as possible.
Impacts on healthcare organizations:
Attackers often target unpatched systems to exploit known vulnerabilities, leading to breaches such as ransomware, data theft, or unauthorized access. Maintaining updated and secure systems minimizes risks and ensures uninterrupted care.
Organizations should implement a robust patch management policy and conduct regular vulnerability assessments.
Affected Products / Versions:
Ivanti Cloud Service Application
- Ivanti Cloud Services Application 5.0.2 and prior
Ivanti Desktop and Server Management (DSM)
- DSM version 2024.2
Ivanti Connect Secure and Policy Secure
- Ivanti Connect Secure 22.7R2.3 and prior
- Ivanti Policy Secure 22.7R1.1 and prior
Ivanti Sentry
- Ivanti Sentry 9.20.1 and prior, 10.0.1 and prior
Ivanti Patch SDK – (also affecting Ivanti Endpoint Manager (EPM), Ivanti Security Controls, Ivanti Neurons Agent, Ivanti Neurons for Patch Management, and Ivanti Patch for Configuration Manager)
- Ivanti Endpoint Manager (EPM) 2024 September Security Update and prior, 2022 SU6 and prior
- Ivanti Security Controls (iSec) 2024.3.2 (9.6.9365.0) and prior
- Ivanti Configuration Manager 2024.3 (2.5.1058) and prior
- Ivanti Neurons for Patch Management 2024.3 (1.1.55.0) and prior
- Ivanti Neurons Agent Platform 2024.1 (9.6.771.) and prior
CVEs
- Cloud services application: CVE-2024-11639-authentication bypass, CVE-2024-11772- command injection, CVE-2024-11773- SQL injection
- Ivanti Desktop and Server Management (DSM): CVE-2024-7572- insufficient permissions
- Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS): CVE-2024-37377- buffer overflow, CVE-2024-9844- insufficient server-side controls, CVE-2024-37401- Out-of-bounds read, CVE-2024-11633- argument injection, CVE-2024-11634- command injection (not applicable to the 9.1Rx code)
- Ivanti Sentry: CVE-2024-8540- insecure permissions
- Ivanti Patch SDK: CVE-2024-10256- insufficient permissions
Recommendations
Engineering recommendations:
- Cloud services administrators
- Customers running CSA 5.0.2 and prior should update to CSA 5.0.3
- Ivanti Desktop and Server Management (DSM) administrators
- Customers should upgrade to DSM version 2024.3.5740 build
- Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS)
- Upgrade to Ivanti Connect Secure 22.7R2.4
- Upgrade Ivanti Policy Secure to 22.7R1.2
- Ivanti will not be releasing a patch for the 9.1Rx line of code as it reaches the end of support on December 31st, 2024
- Ivanti Sentry
- Upgrade to versions 9.20.2, 10.0.2, and 10.1.0
- Ivanti Patch SDK
- If you are using any of the on-prem products in the Affected Products table of the advisory, upgrade to the specified resolved version(s) as soon as possible
- No action is needed if using a cloud product from this table; Cloud services have been updated as of October 15th, 2024
Leadership/ Program recommendations:
Currently, no known public exploitation of these vulnerabilities could be used to provide a list of indicators of compromise.
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- Ivanti blog: https://www.ivanti.com/blog/december-security-update
- Ivanti Cloud Services Advisory: Security Advisory Ivanti Cloud Services Application (CSA) (CVE-2024-11639, CVE-2024-11772, CVE-2024-11773)
- Ivanti Connect Secure and policy secure advisory: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Patch-SDK-CVE-2024-10256
- Ivanti Desktop and Server Management Advisory: Security Advisory Ivanti Desktop and Server Management (DSM) (CVE-2024-7572)
- Ivanti Patch SDK advisory: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Patch-SDK-CVE-2024-10256
- Ivanti Sentry advisory: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2024-8540