Security News Ivanti warns of critical vulnerability in its Endpoint Protection software

[upnorth]

Content source

https://arstechnica.com/security/2024/01/ivanti-warns-of-critical-vulnerability-in-its-popular-line-of-endpoint-protection-software/

Software maker Ivanti is urging users of its end-point security product to patch a critical vulnerability that makes it possible for unauthenticated attackers to execute malicious code inside affected networks.

The vulnerability, in a class known as a SQL injection, resides in all supported versions of the Ivanti Endpoint Manager. Also known as the Ivanti EPM, the software runs on a variety of platforms, including Windows, macOS, Linux, Chrome OS, and Internet of Things devices such as routers. SQL injection vulnerabilities stem from faulty code that interprets user input as database commands or, in more technical terms, from concatenating data with SQL code without quoting the data in accordance with the SQL syntax. CVE-2023-39336, as the Ivanti vulnerability is tracked, carries a severity rating of 9.6 out of a possible 10.

“If exploited, an attacker with access to the internal network can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output without the need for authentication,” Ivanti officials wrote Friday in a post announcing the patch availability. “This can then allow the attacker control over machines running the EPM agent. When the core server is configured to use SQL express, this might lead to RCE on the core server.” RCE is short for remote code execution, or the ability for off-premises attackers to run code of their choice. Currently, there’s no known evidence the vulnerability is under active exploitation.

Ivanti warns of critical vulnerability in its popular line of endpoint protection software

Customers of the Ivanti Endpoint Protection Manager should patch or mitigate ASAP.

arstechnica.com

 

[vtqhtr413]

The recently discovered Ivanti Connect Secure zero-day vulnerabilities could impact thousands of systems and the threat actors caught exploiting them appear to have been preparing for the release of patches. Threat intelligence and incident response firm Volexity warned on January 10 that it had seen threat actors likely connected to China — tracked by the company as UTA0178 — exploiting two previously unknown vulnerabilities in Ivanti Connect Secure (ICS) VPN devices to gain access to internal networks, with the goal of stealing valuable data.

According to Volexity and Ivanti, the attackers exploited an authentication bypass flaw tracked as CVE-2023-46805 and a command injection issue identified as CVE-2024-21887. Chaining the two security holes enables a remote, unauthenticated attacker to execute arbitrary commands on appliances. Ivanti rushed to come up with mitigations against exploitation of the zero-days, but patches are only expected to become available in the week of January 22. The vendor noted that Connect Secure was formerly known as Pulse Connect Secure and Ivanti Policy Secure.

Malware Used in Ivanti Zero-Day Attacks Shows Hackers Preparing for Patch Rollout

Ivanti zero-day vulnerabilities dubbed ConnectAround could impact thousands of systems and cyberspies are preparing for patch release.

www.securityweek.com

 

[vtqhtr413]

Ivanti warned admins to stop pushing new device configurations to appliances after applying mitigations because this will leave them vulnerable to ongoing attacks exploiting two zero-day vulnerabilities. While the company didn't provide additional details, it said that this is caused by a known race condition when pushing configurations that causes a web service to stop and the applied mitigation to stop working.

"Customers should stop pushing configurations to appliances with the XML in place, and not resume pushing configurations until the appliance is patched," Ivanti said in a new update published on Saturday.

"When the configuration is pushed to the appliance, it stops some key web services from functioning, and stops the mitigation from functioning. This only applies to customers who push configurations to appliances, including configuration pushes through Pulse One or nSA. This can occur regardless of a full or partial configuration push."

Ivanti: VPN appliances vulnerable if pushing configs after mitigation

Ivanti warned admins to stop pushing new device configurations to appliances after applying mitigations because this will leave them vulnerable to ongoing attacks exploiting two zero-day vulnerabilities.

www.bleepingcomputer.com

 

[MuzzMelbourne]

Mass exploitation of Ivanti VPNs is infecting networks around the globe​

Mass exploitation of Ivanti VPNs is infecting networks around the globe

Orgs that haven't acted yet should, even if it means suspending VPN services.

arstechnica.com

 

[vtqhtr413]

CISA orders federal agencies to disconnect Ivanti VPN appliances by Saturday

CISA has ordered U.S. federal agencies to disconnect all Ivanti Connect Secure and Policy Secure VPN appliances vulnerable to multiple actively exploited bugs before Saturday.

www.bleepingcomputer.com

CISA has ordered U.S. federal agencies to disconnect all Ivanti Connect Secure and Policy Secure VPN appliances vulnerable to multiple actively exploited bugs before Saturday.

This required action is part of a supplemental direction to this year's first emergency directive (ED 24-01) issued last week that mandates Federal Civilian Executive Branch (FCEB) agencies to urgently secure all ICS and IPS devices on their network against two zero-day flaws in response to extensive exploitation in the wild by multiple threat actors.

Ivanti appliances are currently targeted in attacks chaining the CVE-2023-46805 authentication bypass and the CVE-2024-21887 command injection security flaws since December as zero-days.