Path Traversal in Ivanti: CVE-2024-8963

The previous Cloud Services Appliance (CSA) flaw CVE-2024-8190 discovered within Ivanti, now have another vulnerability affecting the same product, CVE-2024-8963 that is currently being actively exploited. The newly identified flaw, CVE-2024-8963, has been assigned a CVSS score of 9.4 out of 10.

According to Ivanti, it was “incidentally addressed” in CSA 4.6 Patch 519 and CSA 5.0. Ivanti also highlighted that this vulnerability can be used with CVE-2024-8190 as an exploit chain, enabling attackers to bypass admin authentication and execute arbitrary commands on the system.

In a bulletin released on 19th September 2024, the company explained that this path traversal vulnerability in versions of CSA prior to 4.6 Patch 519 allows unauthenticated remote attackers to access restricted functionality.

Ivanti has also issued a warning, being aware of a limited number of customers who have been exploited by this vulnerability just days after revealing active attacks targeting CVE-2024-8190.

This suggests that threat actors are leveraging both vulnerabilities together to execute code on vulnerable devices.

What is CVE-2024-8190

CVE-2024-8190 is an authenticated command injection vulnerability, which means that attackers first need to gain access to the appliance’s admin login page. Due to this reason the flaw is only rated high severity instead of critical, with a score of 7.2 out of 10 on the CVSS scale. However, researchers have noted that in certain cases, this may not pose a significant challenge.

Ivanti has clarified in its security advisory that successful exploitation could result in unauthorised access to the device running CSA. Systems configured with a dual-homed CSA setup, where the eth0 interface is used for the internal network as recommended by Ivanti, are at a much lower risk of being compromised.

Unfortunately, not all users follow these best practices.

Zach Hanley from Horizon3.ai pointed out that users who mistakenly swap the network interfaces or only configure one interface might inadvertently expose the console to the internet. While users are required to change the default admin credentials (admin:admin) during the first login, utilization of weak passwords can still be a risk, especially given the absence of rate limiting for login attempts.

Hanley further speculated that many of the users who were exploited either never logged into the appliance or may have been using weak passwords, making them more susceptible to brute force attacks due to the lack of rate limiting.

For organisations seeking to detect signs of compromise, Zach Hanley outlined some important indicators of the exploit. Failed login attempts, often noted by “User admin does not authenticate” messages in the /var/log/messages file, could be a sign of attempted or successful exploitation. If a compromise is successful, logs showing a 200 response code may appear, signalling that the attacker has successfully bypassed authentication and gained access.

CVE-2024-8963 Mitigation Method

In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, mandating that federal agencies apply the necessary patches by October 10, 2024.

With CSA 4.6 reaching End-of-Life, transitioning to version 5.0 is critical to avoid potential risks. Along with upgrading, Ivanti suggests users to review the CSA for any new or modified administrative accounts. Although irregular, signs of suspicious activity may be visible in the broker logs, which are stored locally.

Users utilizing Endpoint Detection and Response (EDR) or other security solutions, should closely monitor alerts. Since CSA functions as an edge device, Ivanti recommends adopting a layered security approach, including the deployment of EDR tools on the CSA for added protection.

For detailed information about the vulnerability and guidance on updates, refer to Ivanti’s official advisory.